Information Security and Privacy: 14th Australasian Conference, ACISP 2009 Brisbane, Australia, July 1-3, 2009 Proceedings (Lecture Notes in Computer Science Security and Cryptology)

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany

5594

Colin Boyd Juan González Nieto (Eds.)

Information Security and Privacy 14th Australasian Conference, ACISP 2009 Brisbane, Australia, July 1-3, 2009 Proceedings

13

Volume Editors Colin Boyd Juan González Nieto Queensland University of Technology Information Security Institute GPO Box 2434, Brisbane, QLD 4001, Australia E-mail: {c.boyd, j.gonzaleznieto}@qut.edu.au

Library of Congress Control Number: 2009930749 CR Subject Classification (1998): E.3, K.6.5, D.4.6, C.2, E.4, F.2.1, K.4.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN ISBN-10 ISBN-13

0302-9743 3-642-02619-2 Springer Berlin Heidelberg New York 978-3-642-02619-5 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12707515 06/3180 543210

Preface

The 2009 Australasian Conference on Information Security and Privacy was the 14th in an annual series that started in 1996. Over the years ACISP has grown from a relatively small conference with a large proportion of papers coming from Australia into a truly international conference with an established reputation. ACISP 2009 was held at Queensland University of Technology in Brisbane, during July 1–3, 2009. This year there were 106 paper submissions and from those 30 papers were accepted for presentation, but one was subsequently withdrawn. Authors of accepted papers came from 17 countries and 4 continents, illustrating the international flavor of ACISP. We would like to extend our sincere thanks to all authors who submitted papers to ACISP 2009. The contributed papers were supplemented by two invited talks from eminent researchers in information security. Basie von Solms (University of Johannesburg), currently President of IFIP, raised the question of how well dressed is the information security king. L. Jean Camp (Indiana University) talked about how to harden the network from the friend within. We are grateful to both of them for sharing their extensive knowledge and setting challenging questions for the ACISP 2009 delegates. We were fortunate to have an energetic team of experts who formed the Program Committee. Their names may be found overleaf, and we thank them warmly for their considerable efforts. This team was helped by an even larger number of individuals who reviewed papers in their particular areas of expertise. A list of these names is also provided which we hope is complete. We would like to express our thanks to Springer for continuing to support the ACISP conference and for help in the conference proceedings production. We are delighted to acknowledge the generous financial sponsorship of ACISP 2009 by the Research Network for a Secure Australia (funded by the Australian Research Council). The conference was hosted by the Information Security Institute at Queensland University of Technology, who provided first-class facilities and material support. The excellent Local Organizing Committee was led by the ACISP 2009 General Chair, Ed Dawson, with key contributions from Elizabeth Hansford and Christine Orme. We made use of the iChair electronic submission and reviewing software written by Thomas Baign`eres and Matthieu Finiasz at EPFL, LASEC. July 2009

Colin Boyd Juan Gonz´ alez Nieto

Organization

General Chair Ed Dawson

Queensland University of Technology, Australia

Program Co-chairs Colin Boyd Juan Gonz´ alez Nieto

Queensland University of Technology, Australia Queensland University of Technology, Australia

Program Committee Michel Abdalla Tuomas Aura Feng Bao Lynn Batten Mike Burmester Andrew Clark Marc Dacier Sabrina De Capitani di Vimercati Josep Domingo-Ferrer Alain Durand Pierre-Alain Fouque Steven Galbraith Dieter Gollman Maria Isabel Gonz´ alez Vasco Kwangjo Kim Lars Knudsen Pil Joong Lee Xuejia Lai Mark Manulis Chris Mitchell Atsuko Miyaji Paul Montague Yi Mu Eiji Okamoto Pascal Paillier Kenny Paterson Josef Pieprzyk

´ Ecole Normale Sup´erieure, France Microsoft Research, UK Institute for Infocomm Research, Singapore Deakin University, Australia Florida State University, USA Queensland University of Technology, Australia Symantec Research Labs Europe, France Universit` a degli Studi di Milano, Italy Universitat Rovira i Virgili, Spain Thomson, France Ecole Normale Sup´erieure, France Royal Holloway, UK Hamburg University of Technology, Germany Universidad Rey Juan Carlos, Spain Information and Communication University, Korea Technical University of Denmark, Denmark Pohang University of Science and Technology, Korea Shanghai Jiaotong University, China TU Darmstadt, Germany Royal Holloway, UK JAIST, Japan DSTO, Australia University of Wollongong, Australia Tsukuba University, Japan Gemalto, France Royal Holloway, UK Macquarie University, Australia

VIII

Organization

Matt Robshaw Carsten Rudolph Mark Ryan Rei Safavi-Naini Palash Sarkar Ron Steinfeld Douglas Stinson Willy Susilo Jorge Villar Huaxiong Wang Duncan Wong

Orange Labs, France Fraunhofer SIT, Germany University of Birmingham, UK University of Calgary, Canada Indian Statistical Institute, India Macquarie University, Australia University of Waterloo, Canada University of Wollongong, Australia Universitat Polit`ecnica de Catalunya, Spain Nanyang Technological University, Singapore University of Hong Kong, China

External Reviewers Davide Alessio Myrto Arapinis Tomoyuki Asano Mina Askari Man Ho Au Julia Borghoff Joo Yeon Cho Imsung Choi Carlos Cid Nico Doettling Ming Duan Dang Nguyen Duc Orr Dunkelman Sungwook Eom Martin Gagn´e Praveen Gauravaram David Galindo Zheng Gong Choudary Gorantla Fuchun Guo Jian Guo Kyusuk Han Francisco Rodr´ıguez Henr´ıquez Matt Henricksen Javier Herranz Jonathan Hoch Dennis Hofheinz Qiong Huang Xinyi Huang Tibor Jager

Shaoquan Jiang Marc Joye Stefan Katzenbeisser Angelos Keromytis Sun Young Kim Izuru Kitamura Divyan M. Konidala Gregor Leander Hyunrok Lee Corrado Leita Benoit Libert Xibin Lin Hans Loehr Xianhui Lu Yi Lu Atefeh Mashatan Toshihiko Matsuo Krystian Matusiewicz J¨ orn M¨ uller-Quade Hyeran Mun Kris Narayan Kazuto Ogawa Kazumasa Omote Hyewon Park Vijayakrishnan Pasupathinathan Axel Poschmann Angel L. Perez del Pozo Thomas Plantard Siamak Shahandashti Ben Smyth

Agusti Solanas Rainer Steinwandt Pairat Thorncharoensri Leonie Simpson Bo Qin Rolando Trujillo Rasua Jae Woo Seo Michal Sramka Xiaorui Sun Tomas Toft Olivier Thonnard Sungmok Shin Sren S. Thomsen Damien Vergnaud Nguyen Vo Zhongmei Wan Hongjun Wu Mu-En Wu Jiang Wu Qianhong Wu Wei Wu Zhongming Wu Xiaokang Xiong Yeon-Hyeong Yang Myunghan Yoo Kazuki Yoneyama Tsz Hon Yuen Greg Zaverucha Lei Zhang Liangfeng Zhang Huafei Zhu

Table of Contents

Invited Lecture Is the Information Security King Naked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basie von Solms

1

Network Security Measurement Study on Malicious Web Servers in the .nz Domain . . . . . . Christian Seifert, Vipul Delwadia, Peter Komisarczuk, David Stirling, and Ian Welch

8

A Combinatorial Approach for an Anonymity Metric . . . . . . . . . . . . . . . . . Dang Vinh Pham and Dogan Kesdogan

26

On Improving the Accuracy and Performance of Content-Based File Type Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin, and ManPyo Hong

44

Symmetric Key Encryption Attacking 9 and 10 Rounds of AES-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ewan Fleischmann, Michael Gorski, and Stefan Lucks

60

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jiali Choy, Guanhan Chew, Khoongming Khoo, and Huihui Yap

73

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¨ Onur Ozen, Kerem Varıcı, Cihangir Tezcan, and C ¸ elebi Kocair

90

Improved Cryptanalysis of the Common Scrambling Algorithm Stream Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Leonie Simpson, Matt Henricksen, and Wun-She Yap

108

Testing Stream Ciphers by Finding the Longest Substring of a Given Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Serdar Bozta¸s, Simon J. Puglisi, and Andrew Turpin

122

New Correlations of RC4 PRGA Using Nonzero-Bit Differences . . . . . . . . Atsuko Miyaji and Masahiro Sukegawa

134

X

Table of Contents

Hash Functions Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mohammad Reza Reyhanitabar, Willy Susilo, and Yi Mu

153

Characterizing Padding Rules of MD Hash Functions Preserving Collision Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mridul Nandi

171

Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hongbo Yu and Xiaoyun Wang

185

Inside the Hypercube . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jean-Philippe Aumasson, Eric Brier, Willi Meier, Mar´ıa Naya-Plasencia, and Thomas Peyrin Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions: Application to RIPEMD and Others . . . . . . . . . . . . . . . . . . . . . . Yu Sasaki and Kazumaro Aoki On the Weak Ideal Compression Functions . . . . . . . . . . . . . . . . . . . . . . . . . . Akira Numayama and Keisuke Tanaka

202

214 232

Invited Lecture Hardening the Network from the Friend Within . . . . . . . . . . . . . . . . . . . . . . L. Jean Camp

249

Public Key Cryptography Reducing the Complexity in the Distributed Computation of Private RSA Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter Lory

250

Efficiency Bounds for Adversary Constructions in Black-Box Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ahto Buldas, Aivo J¨ urgenson, and Margus Niitsoo

264

Building Key-Private Public-Key Encryption Schemes . . . . . . . . . . . . . . . . Kenneth G. Paterson and Sriramkrishnan Srinivasan Multi-recipient Public-Key Encryption from Simulators in Security Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Harunaga Hiwatari, Keisuke Tanaka, Tomoyuki Asano, and Koichi Sakumoto

276

293

Table of Contents

XI

Fair Threshold Decryption with Semi-Trusted Third Parties . . . . . . . . . . . Jeongdae Hong, Jinil Kim, Jihye Kim, Matthew K. Franklin, and Kunsoo Park

309

Conditional Proxy Broadcast Re-Encryption . . . . . . . . . . . . . . . . . . . . . . . . . Cheng-Kang Chu, Jian Weng, Sherman S.M. Chow, Jianying Zhou, and Robert H. Deng

327

Security on Hybrid Encryption with the Tag-KEM/DEM Framework . . . Toshihide Matsuda, Ryo Nishimaki, Akira Numayama, and Keisuke Tanaka

343

Protocols A Highly Scalable RFID Authentication Protocol . . . . . . . . . . . . . . . . . . . . Jiang Wu and Douglas R. Stinson

360

Strengthening the Security of Distributed Oblivious Transfer . . . . . . . . . . K.Y. Cheong, Takeshi Koshiba, and Shohei Nishiyama

377

Towards Denial-of-Service-Resilient Key Agreement Protocols . . . . . . . . . Douglas Stebila and Berkant Ustaoglu

389

A Commitment-Consistent Proof of a Shuffle . . . . . . . . . . . . . . . . . . . . . . . . Douglas Wikstr¨ om

407

Implementation Finite Field Multiplication Combining AMNS and DFT Approach for Pairing Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nadia El Mrabet and Christophe Negre

422

Random Order m-ary Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michael Tunstall

437

Jacobi Quartic Curves Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson

452

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

469

Is the Information Security King Naked? Basie von Solms University of Johannesburg Johannesburg South Africa [email protected]

Abstract. As children we probably all often listened to the fable of the king who rode nakedly through the street thinking he wore a beautiful new coat created for him by his (rogue) tailor. Nobody wanted to tell him that he was naked, because they all feared him – until a small boy revealed the truth. This paper asks whether the IT industry is not in the same position – Information Security wise totally naked - although everyone tells everyone else how secure our IT systems are. Keywords: Information Security, Information Security Governance, Insecure systems, Naked, Viruses, Social engineering, Ethics.

1

How Well Is the Information Security King Dressed?

In the fable, the main reason why his subordinates did not tell the king that he was naked, was because they wanted to keep him happy – for whatever reason and under all circumstances. They knew perfectly well that what they told him was not true, but that was less important than keeping him happy. Eventually when the truth was exposed – that he was actually naked – probably all his advisors disappeared or claimed ignorance! This paper tries to investigate the present situation as far as the way the Information Security king is dressed. In this paper we envisaged the Information Security king wanting to attend certain events (functions) and for every function he needs a dress. The Information Security king is seen as representative of those who rely on us as Information Security professionals to ensure that IT systems are secure – they include customers, clients, patients, bosses, business owners etc. The functions the king wants to attend represent the IT systems used by the king, and the dress is representative of the Information Security capabilities of IT systems developed to be used by the king. We, as information security professionals and practitioners, are representative of the advisors to the king about the quality of his dress for a specific function. Of course there are many Information Security kings, and many events, and many dresses, but in this paper we investigate the issue in general. Does the possibility exist that we, as Information Security practitioners and professionals truly believe that the Information Security king is (always) properly C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 1–7, 2009. c Springer-Verlag Berlin Heidelberg 2009 

2

B. von Solms

(suitably) dressed, without realizing that he is maybe already naked or nearly naked? Even worse, does the possibility exist that we, as Information Security practitioners and professionals know very well that the Information Security king is already naked, or nearly naked, but we choose not to advise him about this fact? It is important that we think about these questions, because the Information Security king relies on our advice! As Information Security professionals we must all agree on one basic fact – perfect Information Security is not possible. In no way can any operational IT system on this planet be perfectly secured. Anyone claiming that is advising the king that he is always regally dressed – fit for a king - while knowing perfectly well that he is at the most well dressed, or even only casually dressed or dressed in a swimming pants or even a g-string! The real question is then – how good can we secure systems, meaning how well can we actually dress the king? I trust that this paper will stimulate the growing discussion about the security of IT systems, and the role that we as Information Security professionals should play in ensuring the security of such systems. Let us investigate some reasons why many, including the author, have a very worrying feeling that at the present time, for many important functions, the Information Security king is (often) very, very scantily dressed.

2

Should There Be a Worry about the Information Security King’s Dress?

Do we have reason to be worried? Why is the question, comprising the title of this paper, at all necessary? Let us investigate a few quotes from publications over the last few years to give us some clue: ‘Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes’ [3] ‘On the Internet you are always living in a bad neighborhood...’ [4] ‘Security remains one of the hottest topics in IT today – one that keeps users baffled and petrified, boards of directors tied up in discussions and the poor IT manager awake at night...’ [4] ‘Consumer Reports recently conducted a survey of more than 3200 US home computer users with Internet access. Results show that these users have a one-in three likelihood of experiencing damage to their computers, financial loss or both because of a computer worm, virus, Trojan horse or spyware.’ [5] ‘An intruder gained unauthorized access into a ... system, potentially exposing more than 33000 officers to identity theft’ [5]

Is the Information Security King Naked?

3

‘A computer tape from a Connecticut bank containing personal data on 90,000 customers, including names, addresses, Social Security numbers and checking account numbers, was lost in transit recently.’ [6] ‘Personal information for 55,000 customers, including bank data and Social Security numbers, has been stolen from a database at the upmarket Atlantis Resort in the Bahamas.’ [7] ‘In November alone, the Anti-Phishing Working Group (APWG) received 16,882 unique reports of phishing attacks that attempted to fool consumers with 93 different hijacked brands, according to a report the group released this week. November’s phishing attacks marked an all-time high, climbing from the 15,820 the group received notice of in October, and doubling the number of attacks recorded in November 2004, according to the report.’ [8] ‘Since early 2005, more than 150 million personal records have been exposed.’ [9] ‘RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer system had been improperly accessed by an unauthorized party. ..... Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed.’ [10] ‘Late last week, Jefferson County Clerk Jennifer Maghan said she unveiled a new online search tool that enabled residents and business professionals to access nearly 1.6 million documents that are stored in her office via their home computers.’ [10] The quotes above are just a very small number of those which are mentioned daily and weekly concerning Information Security issues – there are many more! We, as Information Security professionals, know (or should know) this. We also know that the Internet as a system has now become so complex and sophisticated, that it is basically impossible to properly secure any IT system using this Internet. We know that the ‘window of vulnerability’, ie the time between a vulnerability being announced and the first virus exploiting that vulnerability is let loose, is becoming smaller and smaller (zero-day vulnerability). The question is what do we tell the Information Security king? It is and stays our responsibility to seriously talk to the king about his dress, and where necessary, tell him directly that he runs the risk of being naked. This basic ‘unsafe (naked) at any time’ feeling is not only because of the Internet. One of the major threats to the use of any IT systems has always been, and will always be the fact that such systems are used by humans – that is the weakest link. The growing threat of specialized social engineering, where the trust of the user is misused to gain important access and other IT related information, is becoming extremely pervasive. ‘... gurus agree that, generally, user-focused attacks present perhaps the biggest threat today.’ [4]

4

B. von Solms

Knowing all this, and taking all this into account, we as Information Security professionals have no other option than to be (very) worried about the king’s dress! Personally this author feels that the Information Security king is often very close to naked, specifically for specific events, and is worried that many advisors still convince him that he is well dressed for such events. This feeling does, of course, not imply that all IT systems are insecure, or that it is impossible to secure any IT system. It does imply that many new IT systems are – so complex and ‘close to the edge’, that such systems should rather not be developed or implemented, or – implemented and put into production without proper and adequate information security features designed into the system, or – are put into production without comprehensive testing the security features of the system History has some form of analogy relevant to the issues discussed above. This is briefly discussed in the next paragraph

3

The Strategic Defense Initiative (SDI) and David Parnas

‘The Strategic Defense Initiative (SDI), commonly called Star Wars after the popular science fiction series, was a system proposed by U.S. President Ronald Reagan on March 23, 1983 to use space-based systems to protect the United States from attack by strategic nuclear missiles. It was never implemented and research in the field tailed off after the end of the Cold War.’ [2] Prof David Parnas, one of the pioneers in the development of Computer Science and Software Engineering, was at that time a consultant to the Office of Naval Research in Washington, and was one of nine scientists asked by the Strategic Defense Initiative Office to serve on the “panel on computing in support of battle management”. Parnas resigned from this advisory panel on antimissile defense, asserting that it will never be possible to program a vast complex of battle management computers reliably or to assume they will work when confronted with a salvo of nuclear missiles. In his letter of resignation he said that it would never be possible to test realistically the large array of computers that would link and control a system of sensors, antimissile weapons, guidance and aiming devices, and battle management stations. Nor, he protested, would it be possible to follow orthodox computer program-writing practices in which errors and “bugs” are detected and eliminated in prolonged everyday use. “I believe,” Professor Parnas said, “that it is our duty, as scientists and engineers, to reply that we have no technological magic that will accomplish that. The President and the public should know that.” [1]

Is the Information Security King Naked?

5

In 1984 the ACM Council passed and published an important resolution. It begins: Contrary to the myth that computer systems are infallible, in fact computer systems can and do fail. Consequently, the reliability of computer-based systems cannot be taken for granted. This reality applies to all computer-based systems, but it is especially critical for systems whose failure would result in extreme risk to the public. Increasingly, human lives depend upon the reliable operation of systems such as air traffic and high-speed ground transportation control systems, military weapons delivery and defense systems, and health care delivery and diagnostic systems. [1] Although Parnas’s stand was related to nuclear warfare, which may not be so relevant today anymore, the morale of this story is still the same. Parnas and the ACM highlighted the reliability issues of the use of computers, because they were important issues concerning the man in the street. They clearly told the DSI king that he runs the danger of being totally naked! It is important to note that Parnas did not say that all computer systems are unreliable – he just said that this specific initiative was dangerous. The reader may now say that the SDI issues were related to the reliability of nuclear computer systems, and not to the Information Security of commercial systems. My answer to such a reaction is : ‘Is the Information Security of general IT systems today, even though they are now much more business focussed, less important, or less complicated?’ Just have a look at paragraph 2 above, or ask a person who lost all his/her money through fraud committed using IT systems whether he sees it as a serious issue or not? Following Parnas’s quote above, I want to state : ‘it is our duty, as Information Security practitioners to make it heard from all platforms that IT systems are becoming so complex that we doubt whether they can still be properly protected in all cases. The public should know that’ Maybe the ACM and other relevant bodies like IFIP [11] should again take a stance on this issue as the ACM took in 1985.

4

What Should We Do?

We must have the willingness to advise, and keep advising the king, and we must refuse to be part of the tailor’s creation if we are convinced that the resulting risk will be too high. The motor manufacturing industry can build cars which can do 300 kilometer per hour, but they realize that for security reasons, they must govern the speed to acceptable safe levels. Coming back to the statement in paragraph 2 above, about users having a one-in-three likelihood of experiencing damage to their computers, financial loss or both because a computer worm, virus, Trojan horse or spyware. Will we buy a car if we know that the there is a one-in-three chance of brake failure? We know that we can build extremely powerful and useful IT systems, specifically exploiting the power of the Internet, but the core question must be the security and safety of such systems – we owe that to the man in the street who will use such systems.

6

B. von Solms

Are we not at the point where we as Information Security professionals must start raising our voices about more and more new and complex systems being developed and rolled out – systems which are too complex and dangerous for their own good, and where the eventual loser will most probably be the well trusting user of a system? I challenge my peers in this field, and IT organizations to start an open discussion about the wardrobe of the Information Security king. However, there may be another issue related to the question stated above. The statement uses the term ‘information security professionals’. Let us briefly investigate this aspect.

5

Information Security Professionals

The reasoning in this paper sofar accepts that we, working in the field of Information Security and who act as advisors to the Information Security king, can call ourselves ‘Information Security Professionals’ ! Can we really do that? Are we really professionals, as the term is understood in other circles like medicine, engineering etc? Do we belong to a professional body which has a defined Body of Knowledge, an Ethics Code or a Disciplinary Code? Can we be held accountable for the advice we give to the Information Security king? Do we have a ‘true’ Information Security Profession which is acknowledged internationally? The answer must be ‘NO’ at this stage! There are some bodies which do ‘certify’ people as Information Security Professionals, and that is already a step in the right direction. However, it does not go far enough, and do not create ‘true’ Information Security Professionals or a ‘true’ Information Security Profession. Other initiatives are developing to create a ‘true’ Information Technology Profession, but that is wider than Information Security. Notable examples of these initiatives are those by IFIP, through the International Information Technology Professional (IITP) and I3P programs, those by some national IT Societies like the Australian, British, Canadian and South African Computer Societies and the IEEE-CS. We must ensure that these initiatives should also cater for a dedicated ‘Information Security Professional’. In the meantime, we as Information Security practitioners (not yet Information Security professionals) should act extremely responsible in our advice roles.

6

Summary

We, as Information Security practitioners (professionals?) must ask ourselves two questions : 1. Is the Information Security king naked? Personally I think it is not (yet) the case, but I very strongly feel that he is NOT well dressed, and I am worried that we are wary and scared to tell him that.

Is the Information Security King Naked?

7

2. How are we going to organize ourselves into a true Information Security Profession? Let’s talk about this matter – we owe it to the king and the users out there.

References 1. The Risk Digest 1(1) (1985), http://catless.ncl.ac.uk/Risks/1.01.html (accessed April 2009) 2. Wikipedia, http://en.wikipedia.org/wiki/Strategic Defense Initiative (accessed April 2009) 3. Winkler, I.: Guard against Titan Rain hackers (2005), http://www.computerworld.com/printthis/2005/0,4814,105585,00.html (accessed April 2009) 4. Haggard, B.: iWeek (December 1, 2005), www.iweek.co.za 5. Schultz, E.: Computers and Security 24(8) (2005) 6. Lawson, S.: ComputerWorld (accessed April 2009), http://cwflyris.computerworld.com/t/242864/94135/5963/0/ 7. Nicolai, J.: ComputerWorld (2006), http://cwflyris.computerworld.com/t/ 242864/94135/5965/0/ (accessed April 2009) 8. Garretson, C.: NETWORK WORLD (2006), http://www.computerworld.com/ securitytopics/security/story/0,10801,107747,00.html?source=NLT SEC& nid=107747 (accessed April 2009) 9. Theft Statistics (2007), http://www.absolute.com/EMEA/computer-theft-statistics-details.asp (accessed April 2009) 10. Theft Centre (2008), http://www.idtheftcenter.org/BreachPDF/ITRC Breach Report 2008 final.pdf (accessed April 2009) 11. IFIP, http://www.ifip.org

Measurement Study on Malicious Web Servers in the .nz Domain Christian Seifert, Vipul Delwadia, Peter Komisarczuk, David Stirling, and Ian Welch School of Engineering and Computer Science Victoria Univestity of Wellington P.O. Box 600, Wellington 6140, New Zealand {cseifert,vipul,peterk,david.stirling,ian}@ecs.vuw.ac.nz

Abstract. Client-side attacks have become an increasing problem on the Internet today. Malicious web pages launch so-called drive-by-download attacks that are capable to gain complete control of a user’s machine by merely having that user visit a malicious web page. Criminals that are behind the majority of these malicious web pages are highly sensitive to location, language and economic trends to increase their return on investment. In this paper, a comprehensive measurement study of malicious web servers on the .nz domain is presented. The risk of drive-by-download attacks has been compared with other domains showing no elevated risk for the .nz domain. However, a comprehensive assessment of the .nz domain showed the existence of malicious web pages across a variety of types of web pages. Blacklisting services showed limited success to protect against such malicious web pages. This is primarily attributed to the highly dynamic nature of malicious web pages. Over a period of eight months, the .nz domain was monitored and continuous shifting of malicious behavior of web pages has been observed. The rates observed show that on average 50% of malicious URLs identified change monthly. The rates pose a challenge to blacklisting services as well as a risk to end users with rapid dissemination of zero-day attacks. Frequent scans of the web are required to obtain a good up-to-date view of the threat landscape.

1

Introduction

Broadband connectivity and the great variety of services offered over the Internet have made it an important source of information and entertainment and a major means of communication. In 2009, users are more connected than ever. With connectivity to the Internet, however, come security threats. Because the Internet is a global network, an attack can be delivered anonymously from any location in the world. Security professionals responding to these threats offer a wide range of mitigation strategies and measures. As attack vectors are barred by defenses, malicious users seek out new, unprotected paths of attack. One of these is the client-side attack, which targets client applications. As the client accesses a malicious server, the server delivers C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 8–25, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Measurement Study on Malicious Web Servers in the .nz Domain

9

the attack to the client as part of its response. A web server that attacks web browsers is a common example. As the web browser requests content from a web server, the server returns a malicious web page that attacks the browser. These, so-called drive-by-download attacks, are capable of gaining complete control of the user’s machine without the user’s notice or consent. Merely visiting a web page with a vulnerable browser is sufficient for a successful attack to occur. Traditional defenses, such as firewalls, pose no barrier against these attacks and antivirus detection is currently poor [1]. Malicious web pages are prevalent in many areas of the Internet [2]. As such, any user might be affected and if this problem is not tackled more effectively it might result in a loss of trust in usage of the Internet and therefore negatively impact cyber commerce, banking and e-government efforts. To increase the effectiveness of the malicious web pages, criminals are highly sensitive to location, language and economic trends [3]. Specific regions, for example, are targeted in, so-called, campaigns. As a result, attacks might differ from country to country [3]. For instance, the majority of malware on Chinese sites might target stealing passwords from online gamers [4,5] whereas malware on Brazilian sites is designed to steal bank account information [5]. With specific campaigns, attackers are capable to increase their return on investment. Purpose of this study is to assess the threat of drive-by-download attacks within New Zealand. Not only is a New Zealand threat profile compared to other countries, but also a measurement study is conducted over an eight month period. The specific goals are: – Assess where the threat is located. Not only are physical and network characteristics investigated, but malicious web pages are also inspected for content to assess concentration of malicious web pages on particular types of web pages. – Comprehensively assess the threat within the New Zealand domain. The goal is to assess how many malicious web pages exist. – Evaluate protection mechanisms. A variety of common protection mechanisms are evaluated in their effectiveness to protect end users from the threat of drive-by-download attacks. – Investigate the changes in the threat landscape. The question of whether drive-by-download attacks are an increasing or decreasing phenomena are answered. Phenomena that are observed over the eight months period are investigated and assessed in detail. The paper is structured as follows. In section 2, related work is presented. Section 3 describes the threats to internal and external validity that experimental designs may pose to measurement studies as presented in this paper. Sections 4,5, and 6 present the measurement study; section 7 concludes.

2

Related Work

Several measurement studies and whitepapers exist that describe the threat landscape. Most security vendors publish white papers on a regular basis. Because

10

C. Seifert et al.

campaigns are part of malware and malicious web sites, the security companies in this space pay special attention to geography. Data from the majority of reports list two countries to be hosting the majority of web-based client-side attacks: The United States of America and China [6,7,5]. McAfee didnt investigate physical location, but rather investigated top level domain names [8]. Their report shows that web sites in the .ro (Romania with 1.119%), .info, and .nu (Niue with 0.514%) contain the highest percentage of malicious web sites. .cn (China with 0.307%) is listed in fourth; .us (United States with 0.075%) in 18th position. New Zealand is not listed in the report. The shortcoming of these white papers is the fact that most are created by commercial entities that lack transparency in their data collection methodology and, as such, it is very difficult to assess external and internal validity. In this paper, we identify and mitigate threats to internal and external validity of the measurement study in a systematic and thorough manner. China is named repeatedly in the white papers. Malicious web sites and the underground economy of the Chinese web was the focus of an academic study by Zhuge et al. [9]. Measurements on popular Chinese web pages revealed a high percentage of malicious web pages of 1.38%. These pages were sourced by submission of popular query terms to the Baidu search engine. The focus of the study presented in this paper investigates the .nz domain comprehensively: both popular and unpopular web pages; web pages that are indexed by search engines and web pages that are not indexed by search engines. Further, this study investigates the .nz over a period of 8 months, which allows us to investigate trends and other behavior that is influenced by time. Provos et al. also conducted a measurement study on malicious web pages that were part of Google’s index [10]. Over a period of 11 months, Provos et al inspected 66 million URLs. They observed an increasing trend of malicious URLs on their search results page. For each malicious URL, they investigated the physical location of the web page denoted by the URL as well as the server that hosts the exploit. China and the United states were the top two countries in both categories. New Zealand is not listed in their statistics. The work presented in this paper, focuses on the .nz domain. This study is comprehensive because our sample of pages represent a significant proportion of the .nz domain. We argue that our survey was comprehensive because we inspected 247,198 web servers and we estimate there to be 500,000 web servers based in New Zealand. Note that our estimate is very rough as it is arrived at by assuming 30% of hosts are web servers and there are at least 1.7 million hosts (according to the 2008 CIA Factbook) in New Zealand. Furthermore, the 30% is based upon Internet Systems Consortiums January 2009 (www.isc.org) estimate of 625 million hosts on the Internet and NetCrafts January 2009 (www.netcraft.com) estimate of 185 million web servers on the Internet. In addition, few studies exist that measure the prevalence of drive-by-download attacks. These studies use crawlers and search engine to generate a list of potentially malicious web sites. Measurements of 0.2% [11], 0.071% [12] and 0.1% [2] were observed. Direct comparison, however, cannot be conducted due to a lack

Measurement Study on Malicious Web Servers in the .nz Domain

11

of information provided by the studies. As part of this work, the methodology of this study is disclosed so the results can be put into context in the future.

3

Threats to Internal and External Validity

The presented measurement study is designed to identify and collect information about malicious web pages with client honeypots. The purpose of this study is to answer the question on magnitude of the problem, where the threat is located, whether the threat is increasing/decreasing, assess protection mechanisms, etc. Further, the output of the measurement study could be used in economic models as illustrated by a variety of security related economic studies [13,14,9,15]. The business models [16,3] of the operation behind the malicious web pages can be used to devise strategies to break the business model. Measurement provides the inputs for accurate business models. To utilize measurement studies for the purposes mentioned above, they have to have external and internal validity. The study needs conduct measurements correctly, so it measures what it is designed to measure (internal validity) and it needs to be generalizable beyond the experimental setting (external validity.) Threats to external and internal validity are plentiful, such as designs that include confounding variables or attempt inappropriate analysis. The major threats to the internal and external validity we identified are uncontrolled variables. These including our mitigation strategy are presented next. The threats are organized into three groups. 3.1

Apparatus (Client Honeypot)

Several threats were identified around the client honeypot technology used to conduct the measurement. A group of high priority threats were concerned with the functional aspects of correctness of the client honeypot. Questions on whether the client honeypot performs what it is designed to do were raised multiple times. The mitigation strategy identified was functional testing. Functional testing can be supported when the technology is transparent and available to a larger audience, so it can be examined and tested. The open-source community does provide this level of support and is one driver why our client honeypot has been made publically available as an open-source project. We believe that many threats are mitigated through this strategy. In addition to the correctness of the client honeypot, reliability was a concern. Especially in a setting in which there are several network components involved and attack code is executed, threats that stem from low reliability emerge. Continuous monitoring and error handling appear to be mitigating these threats and have been implemented as part of our client honeypot. Bias introduced by URL selection and client honeypot configuration were identified to be a threat to external validity. A sample taken from dubious sources, such as links in email SPAM messages, can show very different characteristics in malicious web pages than web pages sourced from search engines in a random

12

C. Seifert et al.

fashion [2]. While difficult to address the bias directly, full disclosure how URLs are sourced or providing the list of URLs used and how client honeypots are configured can prevent generalizing beyond the subjects studied. 3.2

Subjects (Web Page(s))

The subjects, the web pages, also pose a variety of threats to the experimental design of the measurement study. The primary threat is related to connectivity issues in which a web page may not be able to participate in the study because the network components, such as DNS server or/and HTTP server, are temporarily unreachable. This threat may be addressed through retrying retrieval of the web page multiple times and logging any unsuccessful visits of the web pages. Further, a malicious web page may choose not to participate in the study. It could selectively not launch an attack as part of the study, but do so when accessed by a regular used. This may be caused by anti-forensic techniques employed by the malicious web page. The selective behavior could stem from the fact that the web page somehow identified the client honeypot. Primarily a malicious web page can identify the client honeypot through the means it makes requests; this threat is more closely reviewed in the following section. 3.3

Stimuli (Making the Request)

Stimuli, in our context the means of making the request to retrieve the web page for it to participate in the measurement study, is the final area that could pose threats to the validity of the measurement study. Since the process of making the request is part of the apparatus, similar threats around functional correctness and reliability apply to making the request. Functional testing and monitoring functionality during operation is the primarily mitigation strategy for those threats. As mentioned in the previous section, a malicious web page may choose not to participate in the study through identification that is part of the study. A malicious web page may do so by analyzing the way requests are made. Several characteristics of the requests may cause this threat: Location, time, deceptive nature, and history. Location. Location from where requests are made may pose a threat to a measurement studys validity. The two main reason why location is of importance are the campaigns run by attackers and evasion techniques. Campaigns were already described above. For a client honeypot, a campaign may manifest itself in an inability to detect certain malicious web pages that do target clients at a specific location. A client honeypot located in New Zealand accessing a malicious web that only triggers an attack if accessed from a client located in Germany will not be exposed to the attack and therefore fail identification of that malicious web page. An assessment on where a client is located is primarily made by mapping the IP address of the client to a specific location with freely available libraries,

Measurement Study on Malicious Web Servers in the .nz Domain

13

such as MaxMind Geolocation Technology [17]. Web exploitation kits, such as MPack, provide functionality to enable location based triggering of attacks [18]. The geolocation-dependent triggering could easily be extended into a more fine grained triggering mechanism as an evasion technique to avoid specific networks. Since location and locale pose threats to the measurement study, they should be explicitly documented. Time. Malicious web pages change over time. A malicious web page that exhibits malicious behavior in one month might cease to do so in the following month. The attackers might have abandoned the site or the web master might have detected and subsequently removed the malicious content. Sophos Security threat report 07/2008, for instance, describes that the number of malicious web sites they detect almost tripled [5] from 2007 to 2008. Just in a year, the number of malicious web pages on the Internet appeared to have changed significantly. So the time a measurement study is conducted greatly influences the results and, as a result, should be explicitly documented. Deceptive Nature. If a malicious web page detects it is part of a study, it may choose not to participate in this study. It could make this decision based on identifying that the requests were made by a client honeypot. As such, the deceptive nature of the client honeypot in making the request needs to be closely aligned with how users make requests. History. History of requests may pose another threat to a study of malicious web pages. Particular malicious web pages implement a tracking functionality in which the attack is launched only once upon a target. A client honeypot requesting the identical page a second time would not lead to an attack and therefore the malicious web page would be missed. This threat is mitigated through caching and rotation of IP addresses to minimize the chance of the client honeypot to visit a web page twice.

4

Comparative Measurement

The first measurement was designed to compare the risk of drive-by-download attacks from web servers in the .nz domain to other top level domains. Sample of potentially malicious web pages from the .nz, .uk,.au, and .com domain were inspected for malicious web pages with client honeypots. Statistical analysis of the malicious URLs and domains was conducted to assess risk levels at each top level domain. First, the methodology is presented followed by the results. 4.1

Methodology

From the Victoria University network, 664,000 web pages from the Australia, New Zealand, UK, and .com top level domain were inspected with a hybrid client honeypot system. The hybrid client honeypot system was composed of

14

C. Seifert et al.

Fig. 1. Hybrid System

low- and high-interaction client honeypot Weta 1.0 and Capture-HPC 2.0 [19]. Each malicious URL was recorded and the number of malicious URLs per domain were analyzed to determine statistically significant differences across domains. To compare URLs from the various domains, the malicious nature of URLs from the domains need to be assessed. The number of URLs needed to be of sufficient size to detect any statistically significant differences across the various domains. To achieve this, a large sample of 664,000 URLs needed to be classified. Due to resource constraints, a comprehensive classification of this many URLs using a slow high-interaction client honeypot was not possible. Instead, all URLs were inspected first with a fast-low interaction client honeypot system, which is capable of making an initial classification, and finally with a high-interaction client honeypot for a final classification as shown in Figure 1. The low-interaction client honeypot produces false positives and false negatives. The false positives were addressed by re-inspecting each URL that was classified as malicious with a high-interaction client honeypot. This high-interaction client honeypot filters out all false positives produced by the low-interaction client honeypot. In addition to producing false positives, the low-interaction client honeypot is known to miss attacks. The low-interaction client honeypot approximately misses half of the malicious web pages, but it is assumed that these false negatives apply with equal level across all domains. As such, a comparison is still possible. When we more comprehensively assess the .nz domain described in the later sections, we abandon the low-interaction client honeypot and exclusively inspect all URLs with a high-interaction client honeypot to minimize the level of false negatives. The low-interaction client honeypot of the hybrid client honeypot system is Weta v1.0. Weta v1.0 is a simulated web browser that imitates Microsoft Internet Explorer 6.0 SP2. It only retrieves the web page denoted by the URL and not any embedded resources, such as iframes and images. It makes a classification based on the static attributes found on the page, such as existence of obfuscated JavaScript, Iframes, etc. Because of the common attributes used by malicious web pages, it is possible to identify malicious pages using this method. The system is very fast and is capable to classify a web page within 0.05 seconds on an Amazon EC2 instance with 1.7GB of RAM, which is equivalent to a CPU capacity of a 1.0-1.2 GHz 2007 Xeon processor, on a 250Mbps connection [20]. The classification mechanism used by this system produces 5.88% false positives and 53.85% true positives. (Note that even though the false positive rate is lower than the true positive rate, the majority of alerts generated by the lowinteraction client honeypot will consist of false positives because the majority of web pages in the sample will be benign web pages [21].) The detection mechanism implemented by Weta v1.0 has been described in detail in previous work [22].

Measurement Study on Malicious Web Servers in the .nz Domain

15

Each web page that is classified as malicious by the low-interaction client honeypot system is forwarded to the high-interaction client honeypot for reinspection. The open-source high-interaction client honeypot used is CaptureHPC v2.0 developed at Victoria University of Wellington [19]. It uses a dedicated, vulnerable computer system to interact with potentially malicious servers. As responses from these servers are consumed by the client honeypot, it monitors the operating system at the kernel level for any unauthorized state changes at the process, file system and registry level (excluding authorized changes to the system state associated with background system processes, such as the creation of temporary cache files). For instance, if a new file appears in the startup folder after the vulnerable browser interacted with a server, the client-honeypot can conclude that the server it just interacted with must have launched a successful attack and placed the file in the startup folder. This approach filters out the false positives the low-interaction client honeypot produces. Capture-HPC v2.0 was configured with stock installation of Windows XP SP2 and Internet Explorer 6 SP2 within a VMware Server 1.x virtual machine. No additional plug-ins were installed nor was the configuration of the system adjusted to solicit more attacks, such as lowering the browser default security settings. This system was configured with the en-nz locale and the location was set to be New Zealand. The client would be configured to visit the URLs sequentially. After each visitation, the client honeypot would wait 10 seconds to give the web page the opportunity to trigger the attack. If no unauthorized state changes were detected, the client honeypot would record its classification and proceed visiting the next URL. If unauthorized state changes were detected, the client honeypot would record the classification including all the unauthorized state changes that occurred. Before visiting the next URL, the state of the virtual machine would be reset into a clean state prior to doing so. The data for the comparative study was collected in January and February 2008 from the network at the School of Mathematics, Statistics and Computer Science (now School of Engineering and Computer Science) at Victoria University of Wellington, in Wellington, New Zealand. The URLs from the domains .au, .com, .nz and .uk were sourced from the Yahoo Search engine [23]. Because the domains were domains of countries with the national language English, URLs could be sourced by submitting English queries to the search engine. By submitting the same queries to the search engine for each domain, it is expected that the URLs sourced from the results page are controlled and only differ in the domain they come from. Category bias, which was observed previously [2], such as elevated percentage of adult web pages over news web pages, should be applied consistently across all four domains. The queries were English 5 N-gram queries that randomly selected from the corpus of web pages linked by the DMOZ Open Directory Project [24]. The first 1000 URLs on the results page were used to build the list of 664,000 URLs. Data Collection and Analysis. All URLs were first inspected with the lowinteraction client honeypot Weta v1.0. Each URL that was classified as malicious could be a false positive. As a result, these URLs were forwarded to the

16

C. Seifert et al.

high-interaction client honeypot Capture-HPC v2.0 for a second and final inspection, which would eliminate false positives. The malicious classification of the final inspection by the high-interaction client honeypot was recorded for each URL. A visual verification of the unauthorized state changes ensured that no false positives were used in the data analysis phase. To assess whether one top level domain contains generally more malicious URLs than others, a simple Chi-Square test was performed on the number of malicious URLs. Because some malicious URLs might have originated from the same host, a second Chi-Square test was performed on the number of unique host names that host at least one malicious URL. 4.2

Results

Inspecting the 664,000 URLs, the low-interaction client honeypot Weta v1.0 produced a total of 11,095 URLs that it considers may be malicious. Since the majority of these URLs were false positives, they were inspected once again with the high-interaction client honeypot Capture-HPC v2.0. A total of 38 malicious URLs from 27 unique hosts were detected. Of the 168,000 URLs per domain, 26 unique malicious URLs from 16 unique hosts were identified for the .au domain, one URL from one host identified for the .com domain, eight URLs from 7 hosts were identified on the .uk domain, and three URLs from three unique hosts were identified for the .nz domain. The statistical Chi-Square test shows that the difference between the malicious URLs and hosts identified in the .au domain and any of the other domains is statistically very significant (URLs: p < 0.0036; Hosts: p < 0.0092).

5

Comprehensive Measurement

The first measurement used a hybrid system to compare domains. The second measurement should be more comprehensive. Because the hybrid system is likely to miss attacks, the second measurement is designed to minimize this risk by omitting inspection with the low-interaction client honeypot Weta v1.0. Instread, all URLs were inspected with the more accurate high-interaction client honeypot Capture-HPC v2.1 [19]. In addition, the URLs used for the comprehensive study were not sourced by a search engine, but rather by extracting URLs from the .nz domain file. This allowed us to even inspect URLs that were not indexed by search engines. Each malicious URL identified was recorded and several defensive techniques were evaluated against these malicious URLs. 5.1

Methodology

Each URL is inspected with the open-source high-interaction client honeypot used is Capture-HPC v2.1 developed at Victoria University of Wellington [19]. This is more accurate than the hybrid system used in the first experiment as it is likely to miss less attacks and is able to identify known and unknown attacks.

Measurement Study on Malicious Web Servers in the .nz Domain

17

It produces negligible false positives. It is configured in the identical way as Capture-HPC v2.0 was in the first experiment. The version 2.0 and 2.1 differ primarily in bug fixes. Several high-interaction client honeypots were used to inspect potentially malicious URLs. For analysis purposes and to counter evasion techniques based on tracking client honeypots, all requests were made via a HTTP/DNS proxy server Squid v2.6 and Pdnsd 1.2.6 [25,26]. These proxy servers were configured to cache more aggressively compared to a standard configuration to counter evasion techniques and support the subsequent analysis [27]. The data for the comprehensive study was collected in April 2008 from the network at the School of Mathematics, Statistics and Computer Science (now School of Engineering and Computer Science) at Victoria University of Wellington, in Wellington, New Zealand. The URLs were obtained by querying DNS records for valid .nz hostnames. Each hostname was checked for the existence of a common web server listening port (TCP port 80) indicating the existence of a web server. For all hostnames that did not indicate the existence of a web server, the hostname was modified with the prefix “www”. and existence of a web server checked once again. For all hostnames for which an indication of a web server existed, a URL was generated that pointed to the main entry point of the web server, for example “http://www.vuw.ac.nz/”. 247,198 unique URLs were obtained using this method. Data Collection and Analysis. All URLs were inspected with the highinteraction client honeypot Capture-HPC v2.1, which has a negligible false positive rate. For each URL, the classification, time of inspection as well as any unauthorized state changes, such as a new file that appeared in the startup folder, were recorded. In addition, the network traffic as well as the web page itself was recorded by the HTTP and DNS proxy. A visual verification of the unauthorized state changes ensured that no false positives were used in the data analysis phase. All malicious URLs were further analyzed. First, they were inspected once again with a fully patched system. This allowed us to assess whether dangerous zero-day exploits exist in the .nz domain. Second, a brief description of the web page and popularity ranking from Alexa, Google Toolbar and SiteAdvisor service [28,29,30] was obtained by visually inspecting the web page to assess whether popularity and particular topic areas show a higher concentration of malicious web pages. Third, each URL was cross-checked against the URL assessment service of Googles Safe Browsing API [31], McAfee SiteAdvisor [30], Stopbadware database [32], and with the HauteSecure browser plugin [33]. This allowed us to evaluate whether knowledge of these pages by leading blacklisting services exist. 5.2

Results

Comprehensive measurement of 247,198 URLs in the .nz domain detected a total of 52 malicious URLs. The sites themselves fill a wide spectrum of topics: From shopping sites, personal sites, to tourist sites. It seems as if sites from various

18

C. Seifert et al.

Fig. 2. Map of hosts

topic areas pose a risk to the end user. Adjusting browser behavior might reduce the risk (e.g. avoid SPAM links and adult content sites), but the risk cannot be eliminated. Popularity of these sites in general is low; 17 of the URLs were not known to SiteAdvisor, Alexa or Google. Only 2 sites showed a medium popularity. In general, it is expected that in global comparison, sites in the .nz domain will rank low. The fact that several were not tracked by these services poses a risk, because if a site is not known, a security assessment is not likely to take place and therefore the site will not be tagged as malicious by the corresponding blacklisting services. Several publicly available blacklisting services were used to check whether the malicious sites were known to the service. A combined assessment of Google, Stopbadware.com, and SiteAdvisor showed that only nine out of 52 sites were tagged as suspicious or malicious. Blacklisting based on these services would have protected the end user inadequately. The browser plug-in by Haute Secure shows more promising results that allows for protection against malicious web pages. Haute Secure was able to detect 40 out of 52 sites, because this software takes a different approach. Instead of merely checking the main URL that is input into the browser, the Haute Secure plug-in also checks for embedded resources on that page. For instance, if a URL foo.com contains an iFrame that points to a centralizied exploit server maliciousSite.com, Haute Secure will detect and block the request to the maliciousSite.com effectively protecting the end user. The approach is more successful than merely blocking the main URL, because many malicious URLs point to few centralized exploit servers as shown in Figure 3. The physical location of the exploit servers is shown in Figure 4. This Figure shows that the exploit servers are geographically more globally dispersed than the hosts of the .nz domain (as shown in Figure 2.) The hosts of the .nz domain are primarily located in New Zealand and the United States, where many discount hosting providers exist. The exploit servers referenced by these pages, however, are located in additional countries; primarily Unitied States, Russia and China.

Measurement Study on Malicious Web Servers in the .nz Domain

19

Fig. 3. Centralized Exploit Servers

Fig. 4. Map of exploit servers

Besides blacklisting, patching was evaluated. The analysis of inspecting the malicious URLs with a fully patched system resulted in zero successful attacks. As such, patching is a very successful mechanism to defend against these attacks. However, in case just one malicious URL deploys a zero-day exploit, the impact on end users would be tremendous.

6

Term Measurement

In the last and final experiment, a trend assessment of the threat landscape in the .nz domain was made. Over a period of 6 months comprehensive and partial scans of the .nz were conducted repeatedly from the Victoria University network with the high-interaction client honeypot Capture-HPC v.2.1. Changes over this period were analyzed to detect trends and other observations.

20

6.1

C. Seifert et al.

Methodology

The client honeypots were identically setup and configured as described in section 5 High-interaction client honeypots were used exclusively because of their better detection accuracy. The repeated comprehensive measurements were taken from June 2008 to November 2008 from the network at the School of Mathematics, Statistics and Computer Science (now School of Engineering and Computer Science) at Victoria University of Wellington, in Wellington, New Zealand. The URLs used for the comprehensive assessment were also used for the repeated measurements over the 6 month study period. Because attackers are likely to record the IP addresses of the clients and alter their behavior accordingly, the external IP address of the system was changed monthly. Data Collection and Analysis. All URLs were inspected with the highinteraction client honeypot Capture-HPC v2.1 monthly. For each URL, the classification, time of inspection as well as any unauthorized state changes were recorded. In addition, the network traffic as well as the web page itself were recorded by the HTTP and DNS proxy. After the monthly scan, the HTTP and DNS proxy cache were cleared. A visual verification of the unauthorized state changes ensured that no false positives were used in the data analysis phase. The monthly measurements were used to investigate trends in the attack landscape of the .nz domain. Further, monthly scans were analyzed to assess the extent of how dynamic the attack landscape is. The lifetime of malicious behavior of malicious web pages detected in June was determined. For the month of July to November those web pages were inspected for malicious behavior. This data allowed us to assess how quickly and to what extend malicious URLs are turning benign. To determine how quickly and to what extent previously benign URLs turn malicious, a percentage based upon newly discovered URLs was calculated. 6.2

Results

The 247,198 URLs were repeatedly inspected over a period of eight months. A total of 291 unique malicious URLs, about 0.12%, were identified. Results of the monthly inspection of these URLs are shown in Figure 5 (Note that no monthly scan was conducted in May 2008). Over the eight month period, no increasing nor decreasing trend can be detected. While there are fluctuations between 52 (April 2008) and 97 (July 2008) malicious URLs can be observed, significant increases and decreases appear to occur throughout the period of eight months. On average, 73.7 malicious URLs were detected. Of the 291 malicious URLs identified, a majority of URLs only exhibited malicious behavior once as shown in Figure 6. No malicious URLs that exhibited malicious behavior constantly over the seven monthly scans. Only about 8% of malicious URLs exhibited malicious behavior more than half of the seven scans. Of the malicious URLs identified over the eight month period, a considerable portion of the malicious URLs were newly classified as malicious compared to

Measurement Study on Malicious Web Servers in the .nz Domain

21

Fig. 5. Monthly Scan Results

Fig. 6. Number of Times a Malicious URL exhibited over the Seven Monthly Scans

the previous month as shown in Figure 7. In July, for instance nearly 80% of the malicious URLs were newly classified as malicious compared to June. Over the following four months, the percentage of newly classified malicious URLs decreased continuously. In November, about 34% of the malicious URLs were newly classified as malicious compared to October. On average, 50% of malicious URLs were newly classified as malicious compared to the previous month. In addition to assess URLs that turn malicious, malicious URLs that turn benign were observed. Figure 8 shows malicious URLs identified in June 2008 over time. In June 2008, 62 malicious URLs were observed. Of those 62 malicious URLs, about 32% were identified also in July 2008. The percentage continuously decreases over time. Of the 62 malicious URLs identified in June 2008, approximately 6% were also identified in November 2008. This decay appears to be decreasing over time with an initial half-life of 0.6 months and a half-life of 1.2 months 5 months later. An average half-life of 0.94 months is observed. In summary, a constant threat level on the .nz domain was observed. However, while the number of malicious URLs identified does not indicate an upward or downward trend, a highly dynamic nature of malicious URLs has been observed. As malicious URLs disappear, they reappear elsewhere. The rates observed show that on average 50% of malicious URLs identified change monthly. This figure applies to the appearance of new and disappearance of existing malicious behavior. Appearance of malicious behavior can be explained by the continuous

22

C. Seifert et al.

Fig. 7. Percentage of Newly Classified Malicious URLs From Previous Month

Fig. 8. Malicious URLs Identified in June 2008 Over Time (monthly)

malicious activity which target legitimate web sites. These web sites, which usually expose vulnerabilities, are attacked and modified to serve malicious code. Its estimated that 75-80% of all malicious web sites are hacked [5,34]. The web sites identified mostly seem to fall into this category. The do not appear to have been setup with the intent to attack visitors of that site, but are rather legitimate sites that are abused by a third party. Malicious URLs that turn benign is a behavior that is a more difficult to explain. Potentially, this behavior could be attributed to the measures taken by the major search engines Google, Yahoo, and Live Search [35,36,37] which all now search for malicious web pages and either remove them (Yahoo) or tag them as malicious on the results page (Google and Live Search.) As malicious URLs are tagged, the webmasters is notified either directly or indirectly by the impact such a warning has on the traffic to her website, are now inclined to take action to remove the malicious content from their site, and secure their site so a repeated attack cannot occur [38]. Further, take-down notices by various entities in the security space could lead to shutting down of the responsible exploit servers. And finally, the malicious web pages might naturally exhibit sporadic malicious behavior. Even immediate interaction with a malicious page would result in benign behavior. This could be due to fast flux networks [39], malicious advertisements that are only shown occasionally [10], or intentional randomization by attackers to counter detection technology.

Measurement Study on Malicious Web Servers in the .nz Domain

7

23

Conclusion

Over the last 10 months, the threat of drive-by-download attacks in the .nz domain was assessed. While the comparative measurement between the .au, .uk, .com and .nz domain has not revealed an elevated risk for the .nz domain, several hundred malicious URLs in the .nz were identified. These malicious URLs appear to be primarily sites that have been hacked by a malicious third party and then manipulated to serve exploit code. While the malicious URLs of the .nz were primarily hosted in New Zealand and the United States, exploit servers which host the actual attack code, were primarily located in the USA, Russia and China. The malicious URLs identified in the month of April 2008 were cross-checked against known bad site of the Stopbadware, Google index and McAfee SiteAdvisor. Very few URLs were known by these three sources. This is an indication how difficult it is to identify malicious pages on the Internet and provide defensive intelligence to end-users. The Haute Secure browser plug-in was more successful in detection of the malicious content, because it instruments the browser and is able to view and check the commonly used centralized exploit servers. However, some URLs identified did not make use of an exploit server. Rather the exploit code was hosted directly on the page; such pages were often missed by Haute Secure browser plug-in. Identification of malicious web sites is overall difficult. Patching was a successful method to defend against malicious web pages. None of the pages that were detected as part of this study successfully attacked a patched system. But even with patching being a good defensive strategy, it assumes that users do patch, which is not a given [40]. In addition, even patched systems can be at risk if a zero-day attack appears which continued to happen throughout 2008. Analyzing the results from the monthly scans conducted from April 2008 to November 2008, the number of malicious URLs that were identified remained fairly constant. However, a very dynamic nature of malicious web pages were observed. Most of the malicious URLs identified only exhibited malicious behavior one month of the seven monthly scans performed. URLs that were identified to exhibit malicious behavior one month might cease to do so in the following month. At the same time, URLs that did not exhibit malicious behavior one month might do so in the following month. A monthly rate of change about 50% has been observed. Few malicious URLs that previously exhibited malicious behavior but are no longer exhibiting malicious behavior today could be attributed to the inaccessibility of the central exploit server that hosts the exploit code. Whether these exploit servers were purposefully abandoned by the attacker or taken down as part of a take-down notice could not be determined. In conclusion, the attack landscape of the .nz and the likely the Internet as a hole is highly dynamic. The rate of change poses a challenge to blacklisting services as well as a risk to end users with the potential for rapid dissemination of zero-day attacks. Frequent scans of the web are required to obtain a good up-to-date view of the threat landscape.

24

C. Seifert et al.

8

Future Work

In this paper, a comprehensive measurement of the threat landscape in the .nz domain was presented. A highly dynamic nature of the threat landscape was identified. However, the reason for the dynamic natures could not be determined. Additional measurement on web servers, increasing the frequency of scans and development of tools to collect information on why web pages change in their malicious nature will be part of future work.

Acknowlegement This work was funded by InternetNZ. URLs used for the .nz survey can be provided on request to allow replication of this work.

References 1. Seifert, C., Welch, I., Komisarczuk, P., Narvaez, J.: Drive-by-downloads (February 2008) 2. Seifert, C., Steenson, R., Holz, T., Bing, Y., Davis, M.A.: Know your enemy: Malicious web servers (2007) 3. Finjan: Web security trends report - Q2/2008 (2008) 4. Microsoft Corporation: Microsoft security intelligence report (2008) 5. Sophos: Sophos threat report (July 2008) 6. ScanSafe: Global threat report (2008) 7. Stopbadware.org: Badware websites report 2008 (2008) 8. McAfee, Inc.: Mapping the mal web, revisited (2008) 9. Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., Zou, W.: Studying malicious websites and the underground economy on the chinese web. Technical report, University of Mannheim (2007) 10. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us (2008) 11. Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: 13th Annual Network and Distributed System Security Symposium, San Diego, The Internet Society (2006) 12. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: 13th Annual Network and Distributed System Security Symposium, San Diego, Internet Society (2006) 13. Thomas, R., Martin, J.: The underground economy: Priceless (2006) 14. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: CCS, Alexandria, ACM, New York (2008) 15. Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and detecting fast-flux service networks. In: 15th Annual Network & Distributed System Security Symposium, San Diego (2008) 16. Finjan: Web security trends report - Q1/2008 (2008) 17. MaxMind: MaxMind GeoLite Country (2002)

Measurement Study on Malicious Web Servers in the .nz Domain 18. 19. 20. 21.

22.

23. 24. 25. 26. 27.

28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38.

39. 40.

25

Seifert, C.: Know your enemy: Behind the scenes of malicious web servers (2007) Seifert, C., Steenson, R.: Capture - honeypot client (2006) Amazon, Inc.: Amazon Elastic Compute Cloud (Amazon EC2) (2006) Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: 6th ACM Conference on Computer and Communications Security, Singapore. ACM Press, New York (1999) Seifert, C., Komisarczuk, P., Welch, I.: Identification of malicious web pages with static heuristics. In: Austalasian Telecommunication Networks and Applications Conference, Adelaide. IEEE, Los Alamitos (2008) Filo, D., Wang, J.: Yahoo! search engine (1994) Netscape Communications Corporation: DMOZ open directory project (1998) Wessels, D., Nordstroem, H., Rousskov, A., Chadd, A., Collins, R., Serassio, G., Wilton, S., Francesco, C.: Squid web proxy cache (1996) Moestl, T., Rombouts, P.: Pdnsd - proxy DNS server (2000) Seifert, C., Endicott-Popovsky, B., Frincke, D., Komisarczuk, P., Muschevici, R., Welch, I.: Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots. In: 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto (2008) Google Inc.: Google toolbar (2000) Alexa Internet, Inc.: Alexa toolbar (1996) McAfee, Inc.: Mcafee siteadvisor (2005) Google Inc.: Google Safe Browsing API (2007) Stopbadware.org: Home page (2006) HauteSecure: Home page (2007) Websense Inc.: State of internet security, Q1 - Q2, 2008 (2008) Yahoo! Inc.: A safer way to search (2008) Google Inc.: Putting a stop to spyware (2006) Seifert, C.: Live search: Battling the plague of the web (2008) Day, O., Palmen, B., Greenstadt, R.: Reinterpreting the disclosure debate for web infections. In: 7th Workshop on the Economics of Information Security, Hanover, New Hampshire (2008) The Honeynet Project: Know your enemy: Fast-flux service networks (2007) Frei, S., Duebendorfer, T., Ollman, G., May, M.: Understanding the web browser threat: Examination of vulnerable online web browser populations and the ”insecurity iceberg” (2008)

A Combinatorial Approach for an Anonymity Metric Dang Vinh Pham1 and Dogan Kesdogan1,2 1

Siegen University, Siegen, Germany [email protected] 2 NTNU-Norwegian University of Science and Technology, Trondheim, Norway [email protected], [email protected]

Abstract. A number of papers are suggested with the goal to measure the quality of anonymity of a given anonymity system. Most of them use the anonymity set as the basis for developing, reasoning about and applying measure. In this paper we argue that these approaches are premature. In this work we suggest to use the so called hypothesis set – a term derived from possibilistic information flow theory. Investigating the hypothesis set, it is possible to make the “protection structure” explicit and also define well known terms from measurement theory like scale and metric. We demonstrate our approach by evaluating the hypothesis set of the classical Chaumian Mix.

1 Introduction One of the most important values in the information society is the information itself. Therefore, the protection of this precious good is a crucial task. A lot of research attention has been devoted to protecting the information contained within messages. This can be easily achieved today, by using encryption techniques. Here we focus not on the protection of such content data but rather on how to ensure the confidentiality of traffic data, i.e. information about communication relations. Protection of traffic data usually results in some form of anonymity. Such confidentiality is important, since third parties’ unrestricted access to traffic data is considered an unacceptable invasion of both private and business lives. Several techniques are known to protect traffic data. However, there is still a lack of models to evaluate the level of protection these techniques can provide. There are two reasons to determine the level of protection. First, the quality of protection can be made visible to the user. Second, the mathematic model gives designers insight into the protection task. In this paper we will study a specific system - the Mix system [1] that exposes the basis for an understanding of the abstract problem. Consequently, our focus is to investigate the abstract problem and the well known model of anonymity systems, the anonymity set, which can be used to model all traffic protection techniques [2]: Anonymity is the state of being not identifiable within a set of subjects, called the anonymity set. All practical anonymity techniques leak some information about the users’ communication peers in the anonymity set. As the number of observed anonymity sets increases, the uncertainty about the peer partners usually decreases, eventually reaching 0. At this point, there is enough information to determine the peer partners uniquely. According to this observation and inspired by the metric Mean Time To Failure (MTTF) C. Boyd and J. Gonz´alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 26–43, 2009. c Springer-Verlag Berlin Heidelberg 2009 

A Combinatorial Approach for an Anonymity Metric

27

[3], Shannon’s unicity distance [4] and measurement theory [3], we define the metric Mean Time To Deanonymization (MTTD). In [5] an attack algorithm called the Hitting Set Attack (HS-Attack) is proposed that can be used to measure MTTD for the MIX model. It was proven in [5] that HS-Attack requires the least number of observations that is necessary to uncover the peer partners of a user given a global passive attacker, who can observe any communication link from the sender to the Mix and from the Mix to the receivers. In this work we will investigate the HS-Attack for new structures to better understand how the attack evolves with increasing observations. We will mathematically approximate sharply this evolution from secure state into insecure state as a homomorphism of the “reality”. Thereby we will provide mathematic answers to the following main questions: – What is the average number of observations to disclose all of a user’s peer partners? – What is the average number of observations to disclose at least one of the user’s peer partners? – How likely is it to find a particular fraction of a user’s peer partners in a random hypothesis after a given number of observations? Question one was first considered with respect to inherent structures of the Mix- and attacker- model in [5]. They measured the mean number of observations to reach a necessary condition (called exclusivity) to disclose all of a user’s peer partners. In contrast to [5], our approach is more comprehensive and granular, since it enables to directly model the number of observations to disclose any number of a user’s peer partners. In answering question two, we are the first to suggest the anonymity metric MTTD-1 that measures the time point, when the mix system’s anonymity function leaks the first unambiguous information about a user’s peer. This peer can be revealed by HS-Attack and we provide a mathematic measurement of the number of observations that the attacker needs to succeed. Each of a user’s communication relationship is information theoretic anonymous, if it can be avoided that the attacker gains MTTD-1 observations. MTTD-1 extends the traditional measurement of anonymity that until now only considers the time point when all of a user’s peer is disclosed. Finally question three applies to the situation, when it is not possible to definitively identify any user’s peer. Our mathematic model gives the probability that a random hypothesis contains a certain number of the user’s contacts. The latter point shows that our approach opens the door to further analysis beyond the scope of unambiguous identification of peers and we are also the first to address this issue. This paper is organised as follows. Section 2 will provide basic background information, related works and the used Mix meta model. Section 3 will describe the inherent structures and properties of hypotheses sets and we will contribute a precise mathematic model to describe them. Based on this model, we will derive analytical formulas to expose distinct anonymity states with respect to the Mix parameters and the observations of the attacker in Sect. 4. We will measure the mean number of observations to identify arbitrary subsets of a user’s peer partners, the size of the hypothesis set and the probability to find a particular fraction of a user’s partners in a randomly computed hypothesis. Section 5 will finally summarise our results and outline future works.

28

D.V. Pham and D. Kesdogan

2 Background Over the last years a handful of “anonymity metrics” have been proposed [6, 7, 8, 9, 10, 11, 12] that measure the information flow to the attacker. If information flows to the attacker, then it reduces the uncertainty of the attacker, which can be measured with some variant of Shannon’s entropy. All entropy measurements follow here a similar scheme: information flow occurs if the attacker is really uncertain1 and afterwards fairly certain. This kind of “macroscopic” measurement can easily be applied to different anonymity systems, since only the probability distributions have to be known. The paradigm “information flows when uncertainty decreases” is problematic as discussed in [13, 11]. Our approach is more microscopic. The attacker and his knowledge (his interpretation) is incorporated in the model. Thus, direct application of our approach to other anonymity techniques (e.g. Crowds [14]) is not given, i.e. it has to be adapted or rather redeveloped. Again, we model the whole path from secure to insecure state where the uncertainty with each observation decreases (i.e. number of hypotheses decreases). Indeed, in each step we can measure the uncertainty by using entropy as suggested in the literature. This would be a concomitant measurement. However, we think that the other way around is not possible (without formal proof), since suggested entropy based approaches measure only the actual information flow but not how the security evolves with time. The reason for our approach is that we think that the goal of a security strength metric is to quantify the attackers efforts that are required to break a system’s security. Therefore, with respect to the general paradigm “the harder the successful attack the stronger the system” the actual entropy metric suggestions are premature2. Consequently, we define anonymity in terms of the attacker’s knowledge, using the well known trace-based approach [15]. An attacker observes and accumulates input and output events of the anonymity system. The measurement of anonymity depends on the knowledge (i.e. interpretation of the observations) of the attacker that we model with a set of hypotheses. The only assumption we make is that the user keeps the set of peer partners. Unlike the theoretic works in this area (see e.g. [16, 17, 18]), we are not interested to give a formal specification of the anonymity problem. 2.1 The Mix Model We consider the Mix Model that was described in [5]. The Mix technique was proposed by David Chaum in 1981 [1]. Figure 1 shows the basic ingredients of this technique which consist



 of a set of senders S, a set of recipients R, and  
s a Mix node. Note that S and R can be equal. ixe 
  M   All senders in S are connected to the Mix and   the Mix itself is connected to all recipients in Fig. 1. Formal model R by a communication network with reliable secure channels. A reliable secure channel does not 1 2

E.g. a priori distribution is the uniform distribution. The draw back of our approach (as mentioned above) is the necessity of modelling explicitly the anonymity system and the attackers knowledge.

A Combinatorial Approach for an Anonymity Metric

29

result in loss or duplication of transmitted messages, and guarantees authenticity, integrity, and confidentially of transmitted messages. The users and the Mix transmit messages by using the following protocols: User Protocol: Users prepare their messages to be of constant length either by splitting long messages or by padding short messages to the specified length. Each message is encrypted twice with one time pads: first the message is encrypted using a shared secret between the sender and the intended recipient, and then it is encrypted using a shared secret between the sender and the Mix. The users send twice encrypted messages to the Mix. Mix Protocol: A Mix collects b messages (called a batch) from distinct users, decrypts the messages, and outputs the decrypted messages in a batch in a different order than the order in that they were received (lexicographically sorted or randomly delayed). The output is broadcasted to all recipients. Furthermore, any incoming packet is compared with formerly received messages (i.e. by locally caching formerly received messages) in order to reject any duplicate messages. The basic Mix technique described above can perfectly hide the communication relationships between senders and recipients of messages from everybody but the Mix and message senders. Even the act of sending or receiving can be perfectly hidden if the above protocol is applied in fixed time slots, and if every user supplies a fixed number of messages (perhaps some or all of them being dummy messages) to each slot and the whole output batch in a time slot is distributed to every user [19, 1, 20]. Pfitzmann [20] states that the Mix technique provides information-theoretic anonymity and unobservability based on complexity-theoretic secure cryptography. The pure Mix technique. The “perfect” anonymity solution discussed above uses dummy messages and broadcasting. This solution is not followed widely in large networks such as the Internet, as justified in [5]. As a consequence, most current implementations and solutions use a variant of the perfect Mix solution by neither using dummy messages nor the broadcasting function. We refer to this kind of Mix techniques by the term pure Mix technique. Our pure Mix (also called threshold Mix) model is quite general and also Pool-Mixes can be mapped on it as shown in [10]. We consider a global passive attacker who is capable of observing all communication links simultaneously as described in [5]. This attacker model is also known as the Dolev-Yao model in the literature. Based on this attacker, we will use the following formal model of a pure Mix and information leakage therein for our analysis. Formal Model of the Pure Mix Technique – A communication system consists of a set of senders S, and a set of recipients R, and a Mix node (see Fig. 1). If a sender s ∈ S communicates with a recipient r ∈ R, then we say that s and r are peer partners. If the roles of sender and receiver need to be distinguished, then we say that s is a peer sending partner of r and r is a peer recipient partner of s.

30

D.V. Pham and D. Kesdogan

– In each communication round3 a subset S  ⊆ S of all senders S send a message to their peer partners. Let R ⊆ R be the set of intended recipients. The act of sending or receiving a message is not hidden among dummy messages. – The size of the sender anonymity set is |S  | = b, where 1 < b  |S| = n. – The size of the recipient anonymity set is |R |  b since each sender sends exactly one message and several senders may communicate with the same recipient. The size of the recipient set is |R| = N . – The information leakage X available to an attacker in a communication round consists of the pair (S  , R ) of peer senders and receivers. 2.2 The Hitting-Set Attack The hitting-set attack (HS-Attack) introduced by [21, 5] is a global passive attack. The goal of the attack is to compute all possible peer recipient sets of a target sender Alice ∈ S that are called hypotheses. Alice’s peer recipient set is HA and its size is m = |HA |. We will denote recipients r ∈ / HA by the term non-peers. If HS-Attack can find only one hypothesis of size m, then Alice’s peer set is uniquely identified. The adversary is interested in Alice’s peers, he therefore only observes those pairs (S  , R ), where Alice participates as a sender, i.e. Alice ∈ S  . Under this condition we denote the corresponding recipient set R by the term observation O and the set of observations collected during t rounds is the observation set OS = {O1 , . . . , Ot }. For each hypothesis H  = HA , it is unlikely that whenever Alice sends a message, also a receiver of H is contacted. The number of hypotheses therefore decreases with increasing number of observations as illustrated in Example 1. Example 1. Let HA = {8, 9} and the observations at time 1,2,3 be O1 = {8, 5}, O2 = {9, 4}, O3 = {8, 6}. Alice contacted peer 8 in the first and third observation and peer 9 in the second observation. At time point 2 the attacker only sees O1 , O2 , therefore H = {5, 4} is a hypotheses, since these peers could also be contacted by Alice. But at time point 3 H is excluded, since neither 4 nor 5 is contacted in O3 . N  To mount the HS-Attack, the attacker starts with the set L0 that contains all m possible subsets of cardinality m of N recipients, which is called the hypothesis set. We assume in this paper that m is know4 , because we are interested in analysing how long Alice can keep a constant set HA of m peer partners anonymous. Since Alice has m peer partners, exactly one subset in L0 is the set of all peer partners of Alice. Let {O1 , O2 , O3 , . . . , } be the observations in the successive communication rounds in which Alice participates. Since Alice has a peer partner in O1 , a set in L0 that has an empty intersection with O1 cannot be the set of all peer partners of Alice. Thus upon observing O1 , the attacker obtains a new hypothesis set L1 by discarding all recipients sets in L0 that have an empty intersection with O1 . The attacker repeats this process to 3

4

A communication round consists of the following events: The Mix node collects messages from a fixed number of distinct senders, and after applying the “Mix” protocol, it forwards the collected messages to their intended recipients. All attacks shown in this paper are also applicable if m is unknown. See [22] for a justification.

A Combinatorial Approach for an Anonymity Metric

31

generate hypotheses sets L2 , L3 , . . . after observing recipient sets O2 , O3 , . . . respectively, until the hypothesis set Lt has only one subset in it. The last remaining subset in the hypothesis set Lt has to be the set HA of all peer partners of Alice, hence the algorithm fully discloses Alice’s peer set. Note that HS-Attack finds the unique minimal hitting set of all observations. A hitting set is a set that intersects with all given sets 5 . The hitting set is called minimal, if no proper subset of it is a hitting set, otherwise it is called non-minimal. All hitting sets addressed in this paper are of size less or equal m. Also note that HS-Attack requires the least number of observations to disclose Alice’s peer set under a global passive attacker as proved in [5].

3 Properties of Minimal Hitting Sets Peers of any hitting sets H  = HA , where H ≤ m are unlikely to be always contacted whenever Alice communicates and this becomes unlikelier, the smaller the size of H is. After some observations, all hitting sets of size m must therefore be minimal. From now on these minimal hitting sets (of cardinality m) are called hypotheses and the hypothesis set is the set of all hypotheses. Each non-minimal hitting set H is a superset of a minimal hitting set H of cardinality m < m. Minimal hitting sets therefore represent the common peers of all non-minimal supersets thereof. A peer can be identified, if it is common to all hitting sets. It is therefore straight forward and without loss of generality to restrict our analysis to minimal hitting sets. The HS-Attack [21, 5] in Sect. 2.2 does not  focus on minimal hitting sets. It simply removes non hitting sets from the set of all N m possible sets of size m. In contrast to this the ExactHS attack introduced by Pham [23] is the first work that reveals precise structures and quantities of minimal hitting sets. The ExactHS attack is a structured variant of the minimal hitting set attack that requires the same (number of) observations to disclose Alice’s peer set as the HS-Attack. We will extend Pham’s work [23] and show how to derive a mathematic model for the evolution of the minimal hitting sets by observations. The obtained model will be elementary, since it enables us to determine the probability, the number and the structure of the minimal hitting sets after any number of observations with respect to the parameters N ,b,m of the Mix. In particular we can determine the number of observations, such that a particular number of Alice’s peers is disclosed, which is our new metric MTTD. 3.1 Number of Minimal Hitting Sets The ExactHS attack [23] is a minimal hitting set attack that computes all minimal hitting sets of size lower or equal m with respect to a given observation set (representing the observations of the attacker). It therefore allows us to prove the following claim about the number of minimal hitting sets. Claim. Let N , b, m be the Mix parameters and HA be Alice’s peer set of size m. For a given observation set OS, the maximal number of possible minimal hitting sets of cardinality less or equal to m in OS is bm . This bound is sharp, if mb ≤ N . For mb > N this is still an upper bound, but it is not sharp. 5

In our case these sets are the observations O1 , O2 , . . . , Ot .

32

D.V. Pham and D. Kesdogan

ExactHS Algorithm. Before the first invocation of Alg. 1 the set of all minimal hitting sets L and the candidate set H are empty, and the observation set OS consists of all observations collected by the attacker. The computation of the minimal hitting sets is initially invoked by calling ExactHS (OS, m, H). We refer to this observation set by the term initial observation set, as OS will be changed during the processing of ExactHS. In each recursion level H is extended by exactly one peer r, chosen in Line 7 from a designated observation O ∈ OS determined in Line 5, where OS is the actual observation set. At the invocation of the next recursion level to determine the next peer to be added to H ∪ {r} in Line 8, ExactHS is applied to a modified copy of the actual observation set that contains no observations intersecting with {r}. This step of removing is important to avoid non-minimal hitting sets, as it allows us to focus on adding only those peers to the actual set H ∪ {r} that definitively intersect with observations not intersected by H ∪ {r}. Finally, if Line 2 detects that no observation of the actual observation set remains that is not intersected by H, then H is a hitting set. In this case it will be added to the set L in Line 3. After a selection of r has been done in a recursion level, we remove r from all observations of the actual observation set in Line 8 and from the designated observation O in Line 9. This way the algorithm can repeat the extension of H with a new peer r not chosen before in Line 7. Algori thm 1. ExactHS 1: procedure E XACTHS( 2: if = then 3: 4: else if 1 then 5: choose 6: while ( 0) 7: choose 8: E XACTHS ( 9: 10: 11: end while end if 12: 13: end procedure

,

) is a hitting set, add it to hypothesis set add a peer to , if contains less than peers

(

) do 1

)

will become element of select remaining ( − 1) peers of remove in all observations of

do not choose

in this recursion level again

Bound of the Number of Minimal Hitting Sets. ExactHS creates a hitting set H by starting with an empty set H = {} and adding a recipient to H in each choice phase represented by the lines 6–11. The number of recursive invocation of the choice phases in Line 8 is restricted by m, since we are interested in computing hitting sets H with at most m recipients. In each choice phase we only have at most b possible choices of a recipient ri , because only recipients r1 , . . . , rb of a fixed observation O are selected. From the restriction on the number of recursive invocations of the choice phase and the number of choices in each phase, we can conclude that the algorithm computes at most bm minimal hitting sets. A formal proof that ExactHS is sound and complete with respect to the computation of all minimal hitting sets can be found in [23]. To show that the bound bm of the algorithm is tight, we construct m pairwise disjoint observations O1 , . . . , Om , such that Oi ∩ Oj = ∅ and |Oi | = |Oj | = b for distinct i, j ∈ {1, . . . , m}.

A Combinatorial Approach for an Anonymity Metric

33

Let us consider a concrete example with the parameters m = 2, b = 2, the victim peer set HA = {1, 2} and the observations {1, 3}, {2, 4}. A short glance shows that there are bm = 4 minimal hitting sets, namely: {1, 2}, {1, 4}, {3, 2}, {3, 4}. 3.2 Structuring Minimal Hitting Sets This section shows the classification and quantification of minimal hitting sets introduced by [23]. We partition the minimal hitting sets into (m + 1) disjoint classes H0 , . . . Hm . A minimal hitting set H belongs to the class Hi (written H ∈ Hi ), if and only if it contains exactly (m − i) distinct peer partners of Alice. i For sets A, B and integer i we define Ai = j=0 Aj , H0 = {HA } m−1 where A0 is a neutral element, such that A0 ×B k = B k . H1 ⊆ (R \ HA )1 × HA For example the class H2 might contain the (minimal m−2 2 hitting) sets H2 = {r21 , r22 , a23 . . . , a2m } and H2 = H2 ⊆ (R \ HA ) × HA .. {r2 1 , a23 . . . , a2m }, where each rij represents a non. peer and each aik represents an Alice’s peer. All peers Hm ⊆ (R \ HA )m . (1) within a set must be disjoint. Bounds of Minimal Hitting Set Classes. The last section derives the bound of bm for the number of minimal hitting sets. Based on ExactHS (2) represents refined bounds for each of the minimal hitting set classes H0 , . . . , Hm as proved in [23].     m m i |Hi | = (b − 1) = (b − 1)i . (2) m−i i Note that this bound is again tight and we can use the same construction of m disjoint observations as in Sect. 3.1 to prove its tightness. It is  also clear that the sum of the m m   cardinality of each class results in bm , i.e. i=0 |Hi | = i=0 m (b − 1)i = bm . i Probability Property of Classes. To model the probability of excluding a particular hypothesis of a class Hi , we assume that Alice chooses her recipient in each round uniformly distributed from the set of m recipients HA = {a1 , . . . , am }. Similarly the remaining b − 1 senders of a batch are assumed to select their receivers uniformly from the set R of N receivers. A (former) hitting set H is excluded by an observation O, if and only if H does not intersect with O, i.e. if H ∩ O = ∅. A hitting set H is excludable with respect to an observation set OS, if and only if H is a hitting set in OS and there exist an observation O ∈ / OS, such that H would be excluded by O. Suppose that a hypothesis H ∈ Hi is given. According to Pham [24] the probability that this particular hypothesis is excluded by the next observation O is: pinv (N, b, m, i) =

i m (1 − )b−1 . m N

(3)

Thereby the first factor mi is the probability that Alice chooses to communicate with any of the i recipients not covered by H in the observation O. The second factor represents the probability that the remaining (b − 1) senders do not choose to contact any of the recipients in H.

34

D.V. Pham and D. Kesdogan

3.3 Extensive Hypotheses Extensive hypotheses combine the knowledge about the minimal hitting sets of size ≤ m, which are computed by ExactHS with the knowledge about the structure of hypotheses. That way we can predict which hypotheses will be computed in the future. Table 1 shows the the Minimal hitting sets Mi , the extensive hypothesis set Li , and the excluded sets that result from analysing the observation set OS i = {O1 , . . . , Oi }. For i = 0 there is no observation and no M0 , but we have knowledge about the initial hypothesis set represented by the classes (1) in L0 . Each element H ∈ Li is called an extensive class. We will address these classes by their order from left to right and from top to bottom, i.e. Hu is the u-th class in the hypothesis set. An extensive class is unspecified, if it contains a variable x (standing for any variable xvu with indexes), otherwise it is specified. A specified extensive class is called a specified extensive hypothesis. The only specified extensive hypothesis in L0 is H1 = {1, 2, 3}. Each variable x represents any (b − 1) unspecified non-peers r ∈ R \ HA , thereby only distinct peers can be assigned to xvu , xw = w. Peers that are explicitly mentioned are u ∈ Hu for v  called specified. Newly specified peers are bold highlighted. Note that writing H ⊆ L0 would be more appropriate than H ∈ L0 , since H is a class. But for the sake of reducing formalisms and simplifying explanations, we use the element-notation and -operations. For i = 3 we can see that extensive hypotheses also visualise exclusions of implicit hypotheses (e.g. {2, 3, 4} and {3, 4, 5}). A hypothesis is implicit, if it has not been computed by ExactHS as a minimal hitting set yet, otherwise it is explicit. Finally all extensive hypotheses will be explicit and equal to minimal hitting sets as seen in i = 4. Table 1. Evolution of minimal hitting sets and extensive hypothesis set i 0

Oi

1 {1, 4} 2 {2, 5} 3 {1, 6} 4 {3, 4}

Minimal hitting sets Mi Extensive hypothesis set Li Exclusion H0 : {1, 2, 3}; H1 : {1, 2, x12 }, {1, 3, x13 }, {2, 3, x14 }; 1 2 1 2 1 2 1 2 3 H2 : {1, x5 , x5 }, {2, x6 , x6 }, {3, x7 , x7 }; H3 : {x8 , x8 , x8 } {1}, {4} H0 : {1, 2, 3}; H1 : {1, 2, x12 }, {1, 3, x13 }, {2, 3, 4}; H2 : {1, x15 , x25 }, {2, 4, x16 }, {3, 4, x17 }; H3 : {4, x18 , x28 } {1, 2}, {1, 5}, H0 : {1, 2, 3}; H1 : {1, 2, x12 }, {1, 3, 5}, {2, 3, 4}; {4, 2}, {4, 5} H2 : {1, 5, x15 }, {2, 4, x16 }, {3, 4, 5}; H3 : {4, 5, x18 } {1, 2}, {1, 5}, H0 : {1, 2, 3}; H1 : {1, 2, x12 }, {1, 3, 5}; {2, 3, 4}, {4, 2, 6}, {4, 5, 6} {3, 4, 5} H2 : {1, 5, x14 }, {2, 4, 6}; H3 : {4, 5, 6} {1, 2, 3}, {1, 2, 4}, H0 : {1, 2, 3}; H1 : {1, 2, 4}, {1, 3, 5}; {1, 5, 3}, {1, 5, 4}, H2 : {1, 5, 4}, {2, 4, 6}; H3 : {4, 5, 6} {4, 2, 6}, {4, 5, 6}

Li is constructed with respect to the observation set OS i = {O1 , . . . , Oi } and the minimal hitting sets Mi for i ≥ 1. Let H ∈ Hj be an extensive class of size m and H− = H \ HA \ {x}, then H ∈ Li , if and only if H− is a minimal hitting set with respect to OS i = {O \ HA | O ∈ OS i , O ∩H ∩HA = ∅} 6 . Thus for each H− , there is a minimal hitting set Hi with respect to OS i , such that |Hi | ≤ m, H− = Hi \ HA and Hi ⊆ H An extensive class H that complies to these conditions is called minimal, hence an extensive hypothesis set consists of only minimal classes. This defines a surjective 6

The set OS i results from removing all Alice’s peers from those observations in OS i that do not contain any of Alice’s peers of H.

A Combinatorial Approach for an Anonymity Metric

35

mapping of the extensive hypothesis set Li to the minimal hitting sets with respect to OS i . We can define Li for i ≥ 1 recursively as follows: 1. Let Li = {} before the start of its construction below. 2. For each extensive class H ∈ Li−1 , let {r1 , . . . , rk } ⊆ H be the set of all specified peers in H ∈ Hj , where k ≤ m. Apply either 3. or 4. to each H. 3. If {r1 , . . . , rk } ∩ Oi  = ∅ then add H to Li , i.e. Li = Li ∪ {H}, because H is not excluded by Oi . 4. Else if {r1 , . . . , rk } ∩ Oi = ∅ and k < m then add for each non-peer r ∈ Oi \ HA the extensive class H = {r1 , . . . , rk , r, x1 , . . . , xm−k−1 } ∈ Hj to Li , if H is a minimal class in OS i . We generalise from this example that all extensive classes will become specified apart from the exceptions discussed below. The exclusion probability of a specified extensive hypothesis H ∈ Hi is exactly pinv (N, b, m, i), even if H is implicit. The number of specified extensive hypotheses resulting from L0 is strictly bounded by bm . This is due to the fact that L0 and its extensions are defined according to the classes Hi (1) and their class sizes (2). Exceptions. An exception can only arise in point 4. of the computation of Li and consists of following cases: – The extensive class H ∈ Hj resulting from specifying a peer in H ∈ Hj is not minimal in OS i . – There are less than (b − 1) non-peers in Oi . We now analyse the effect of exceptions on the number of the sets that will be specified. Let Alice’s peers be HA = {1, 2, 3}, b = 3 and the considered extensive class be H = {1, 4, x} ∈ H2 . If the next observation is no exception (e.g. Oi = {2, 7, 8}), then (b − 1) = 2 specified sets of H2 would result from extending H. These sets are H = {1, 4, 7} and H = {1, 4, 8}. Assume that H is not minimal than only H would be the extension of H. Similarly, if the next observation would contain less than (b − 1) non-peers, e.g. Oi = {2, 3, 6}, respectively Oi = {2, 7}. Only one specified set H = {1, 4, 6} respectively H = {1, 4, 7} would result from extending H. Let k be the number of specified peers in H from point 4., then for each missing nonpeer in the next observation Oi , the number of sets that will be specified decreases by at most bm−k−1 . The same decrease is caused, if the class H resulting from specifying a peer in H is not minimal in OS i . Note that the preconditions for exceptions imply that sets excluded by exceptions are unspecified and implicit before the exclusion. We observe that most extensive hypotheses become specified very fast and logically at least as fast as minimal hitting sets reach the size m. The impact of exclusions by exceptions on the size of the extensive hypothesis set is therefore moderate in comparison to normal (non-exceptional) exclusions. For the sake of simplicity, we only mathematically model the normal exclusion of extensive hypotheses from the initial bm extensive hypotheses. The main result of this section is that we can map the inconvenient exclusion process of minimal hitting sets on the exclusion process of the extensive hypothesis set. This again can be simplified to the exclusion process of specified extensive hypothesis set, where the exclusion probability of each set is known. From now on hypotheses and classes are always addressed in terms of specified extensive hypotheses and classes.

36

D.V. Pham and D. Kesdogan

4 Modelling Anonymity States Section 3.3 justified that the evolution of the minimal hitting sets can be modelled by the evolution of the extensive hypothesis set. This section will introduce formulas to describe the deployment of the size and structure of the (extensive) hypothesis set for distinct number of observations and distinct Mix parameters N , b, m. In particular we will answer the following questions: – How many observation are required to disclose all of Alice’s peers? – How likely is it to find k ≤ m of Alice’s peers in a random minimal hitting set after t observations? – What is the average number of observation to disclose at least one peer of Alice? 4.1 Full Disclosure The full disclosure of Alice’s peer set is the unambiguous identification of all of Alice’s peer recipients, i.e. the identification of HA . Mean Number of Minimal Hitting Sets. In this section, we derive closed formulas for the mean number of hypotheses after t observations for distinct classes. Let Vi be a random variable, where Vi = 1 is the event that a particular hypothesis H of the class Hi remains valid after t observations, while Vi = 0 denotes the inverse event. The probability of Vi = 1 corresponds to t stochastically independent Bernoulli trials, where the outcome of each of the t trials shows that the minimal hitting set remains valid. Thereby a Bernoulli trial corresponds to the outcome, whether H remains valid at the next collected observation. Since each observation appears stochastically independently from those in the past and in the future, we have a natural mapping of the “remaining valid event” of H on the independent Bernoulli trials, hence: P (Vi = 1) = [P (H remains valid at next observation)]t is the probability that H remains a hypothesis after t observations, which is by (3) exactly (1 − pinv (N, b, m, i))t . Let Hi = {H1 , . . . , H|Hi | } be a minimal hitting set class containing only hypotheses and Vij be the event that the hypothesis Hj ∈ Hi remains valid after t observations. The expectation E of the number of hypotheses in Hi after t observations is thus the expectation of the convolution of the random variables Vi1 , . . . , Vi|Hi | . This expectation is represented by (4). |Hi |  Thereby we benefit from the additivity of E(V , . . . , V E(Vij ) (4) i1 i|Hi | ) = the expectation function by splitting the j=1 complex expectation on the left side to a |Hi |  sum of expectation of single Vij events on = P (Vij = 1) the right side. The probability of the outj=1 come P (Vij = 1) is identical for each = |Hi |P (Vi = 1) . (5) fixed hypothesis Hj ∈ Hi (i.e. P (Vij = 1) = P (Vi = 1)), hence the right side of the former equation can be simplified to (5).

A Combinatorial Approach for an Anonymity Metric

37

Note that the events Vij , Vik for i, k ∈ {1, . . . |Hi |} and j  = k are not stochastically independent, hence the probability P (Vij ) = P (Vi ) respectively P (Vik ) = P (Vi ) only holds, if we consider single events, as on the right side of the equation below. To clarify that (5) depends on the parameter N , b, m and t we use the more elaborate formulation:

m i m E|H i | (N, b, m, t) = |Hi |(1 − pinv (N, b, m, i)) = (b − 1)i (1 − (1 − )b−1 )t (6) i m N t

for the expected number of remaining hypotheses of class Hi . Formula (4) can be easily extended to cover the mean number of observations for any combination of classes including the consideration of all classes. The expectation of the remaining hypotheses with respect to the initial hypothesis set H is: m    m i m E|H| (N, b, m, t) = (b − 1)i (1 − (1 − )b−1 )t i m N i=0

≤ ((b − 1)e− m (1− N ) t

m b−1

+ 1)m .

(7)

Time to Reduce Hypothesis Set to a Threshold. The expectations E|Hi | and E|H| of the number of hypotheses after t observations can be easily reformulated to derive the number of observations, such that a hypotheses remains on average. By a transformation of (6), where a denotes the left side of the equation, we obtain:   ln a − ln mi − i ln (b − 1) tH i = for a > 0 . (8) b−1 ) ln (1 − mi (1 − m N) This equation represents the number of observations, such that at most a hitting sets remain on average in the class Hi for i ≥ 1. Similarly we reformulate (7) to obtain the number of observations tH , such that there are on average less than a minimal hitting sets left from the initial hypothesis set H. Alice’s peer set HA always remains in H, therefore a > 1. tH ≤

m(ln (b − 1) − ln (a1/m − 1)) b−1 (1 − m N)

for a > 1 .

(9)

Comparison to Simulation. This section visualise the precision of the function tH of Sect. 4.1 by comparing it with the mean time of full disclosure obtained by our hitting set simulations. The simulation applies the HS-Attack on simulated observations, until Alice’s peer set can be uniquely identified. This simulation is run several times to obtain a confidence interval of 95% on the mean number of observations to identify Alice’s peer set. The observations are generated under the assumption of a uniformly distributed communication of Alice and the other senders. That is Alice chooses one of her m peers 1 with probability m and each of the other senders chooses its peer from all N receivers with the probability N1 at each round. This distribution complies to the distribution used in our formulas.

38

D.V. Pham and D. Kesdogan N=400, varying b, m=10

varying N, b=10, m=10

300 HS HS2 HS1.1

250

number of observations [t]

HS HS2 HS1.1

number of observations [t]

number of observations [t]

N=400, b=10, varying m 500 450 400 350 300 250 200 150 100 50 0

200 150 100 50 0

0

5

10

15

20

25

Alice’s peer size [m]

30

0

10

20

30

40

50

550 500 450 400 350 300 250 200 150 100 50

HS HS2 HS1.1

0

100

200

300

batch size [b]

400

500

600

700

800

900 1000

number of peers [N]

Fig. 2. Number of observations: Full disclosure by simulation (HS), reduction of hypothesis set to size below 2 (HS2) and below 1.1 (HS1.1)

The plots in Fig. 2 compare the mean number of observations for full disclosure obtained by the simulation (HS) with the number of observations to reduce the initial hypothesis set to a cardinality less than 2 (HS2) respectively less than 1.1 (HS1.1) using (9). The y-axes of the plots shows the number of observations, while the x-axes vary one of the parameters N ,b, or m. Note that the mean number of observations for full disclosure is not necessary equal to the number of observation to reduce the hypothesis set to a particular size, although these two values are strongly related to each other. Let μdis be the mean number of observations for the full disclosure, then the mean number of hypotheses after μdis observations is obviously larger than 1. Depending on the variance of the number of hypotheses around μdis , more than μdis observations are necessary to keep the number of hypotheses closed to 1. This is shown by the Fig. 2. The HS2 curve is almost identical to the HS curve, whereas the HS1.1 curve is noticeably above the HS curve. Parallel to us [25] suggested a “lower bound” t∗ for the mean number of observations for full disclosure using the same Mix and attacker model. They compute for each of the N m “normal” (not extensive) hypotheses the probability that it is excluded after t observations and claim that t∗ is the lower bound of the time when only one hypothesis remains. Figure 3 shows that t∗ is far away being N  from N −b  a lower bound. Firstly, there are at most − “normal” hypotheses after the first obserm m vation due to the Mix model, but this restriction is not in their mathemtic model and causes a significant overes- Fig. 3. Comparison: Simulation set timation. Secondly, even if this would be corrected, the (HS), reducing hypothesis ∗ below 1.1 (HS1.1), t (t*) evolution of the “normal” hypothesis set depends on the distribution of the hypotheses’ structures remaining after the first observation and those succeeding that. This is not mathematically modeled and might be very difficult to do. N=400, varying b, m=10

number of observations [t]

1400

HS HS1.1 t*

1200 1000 800 600 400 200 0

0

5

10

15

20

25

30

35

40

batch size [b]

4.2 Partial Disclosure The partial disclosure is the unambiguous identification of a subset HA ⊆ HA of Alice’s peer set. The full disclosure in Sect. 4.1 is a special case of the partial disclosure. Probability to Identify k Particular Peers. The probability to identify k particular peers HA ⊆ HA of Alice after at most t observations is the probability that all hypotheses are excluded that do not contain all of these k = |HA | peers after at most

A Combinatorial Approach for an Anonymity Metric

39

t observations. This probability is a discrete distribution with respect to t and we will address it by the term fid . The probability to exclude a particular hypothesis depends on its class, therefore we will first determine the number of hypotheses of each class Hi that have to be excluded. Number of Exclusions in a Class. We remember from (2) that the size of Hi is |Hi | = m i (b − 1) . In this class i of the m peers of Alice are replaced by non-peers. Therefore i m−k  i (b − 1) is the number of hypotheses in the class Hi , where the k of Alice’s peers i HA are not replaced by non-peers. The number of hypotheses in Hi that have to be excluded to enable the identification of HA is therefore: m m − k  exNo i (b, m, k, i) = − (b − 1)i . (10) i i Note that we distinguish between the to be excluded hypotheses with respect to their class membership, because the probability to exclude a hypothesis depends on its membership as shown in Sect. 3.2. Also note that we only know the probability with respect to the exclusion of a single hypothesis. If two hypotheses H1 and H2 are considered, then there could be a stochastic dependency between them, i.e. if H1 is excluded, then H2 might be excluded, too. For that reason we make the simplifying assumption that all minimal hitting sets are stochastically independent. This enables us to unrestrictedly apply pinv to describe the exclusion of hypotheses. The following equation derives the distribution fid with respect to the parameters N , b, m, t and the number k = |HA | of Alice’s peers that should be identified. fid (N, b, m, k, t) =

m−k

m

m−k i

(1 − (1 − pinv (N, b, m, i))t )(( i )−(

i=1 m

))(b−1)i

(11)

m i (1 − (1 − pinv (N, b, m, i))t )( i )(b−1) .

i=m−k+1

Probability to Identify at Least k Peers. Based on the function fid of the last section, we will derive the probability distribution fidany that at least k of Alice’s peers can be identified after at most t observations. In contrast to the previous section we are not focusing on disclosing particular peers, but on the probability to disclose a certain number of peers. Let Y k be a random variable denoting the event that particular k peers of Alice’s peer set HA are identified, i.e. Y k = 1 if the designated peers are identified else Y k = 0 for the inverse case. To simplify the notation we will abbreviate the probability P (Y k = 1) by the term P (Y k ).   Let Y1k , . . . , Y km be m k distinct random variables. Each of this variable represents (k) the event that distinct subsets of HA of cardinality k are identified. In order to compute the probability that at least k of Alice’s peers can be disclosed,   we have to determine the probability that any of these Yik events, for i ∈ {1, . . . , m k } takes place. Thereby   it would be imprecise to simply sum up the probabilities P (Yik ) for i ∈ {1, . . . , m k },

40

D.V. Pham and D. Kesdogan

because the events Yik are not stochastically independent. We can solve this problem by applying the inclusion-exclusion-formula: P (Y1k ∨ . . . ∨ Y(km) ) = P (Y1k ) + . . . + P (Y(km) ) k

(12)

k

− P (Y1k , Y2k ) − . . . − P (Y(km)−1 , Y(km) ) . . . + . . . − . . . . k

k

Assume that {ai1 , ai2 } and {aj1 , aj2 } are those peers that are identified by the event Yik respectively Yjk (for k = 2). The above term P (Yik , Yjk ) is the probability that all peers of the joint set {ai1 , ai2 , aj1 , aj2 } are identified. Let us denote the joint event by the   term Y k , where k  = |{ai1 , ai2 , aj1 , aj2 }| ≤ 2k, then P (Yik , Yjk ) = P (Y k ) can be computed by (11). It is also obvious that this transformation can even be applied to an  arbitrary number of joints of events, i.e. we can transform P (Y1k , . . . , Yzk ) to P (Y k ) for any z ≥ 1 accordingly. The next formula is an elaborate formulation of (12) for the special case of k = 1. It is the probability to identify at least one of Alice’s peers after at most t observations.

  m  s−1 m fidany (N, b, m, t, 1) = (−1) fid (N, b, m, s, t) . (13) s s=1 The general probability distribution for arbitrary values of k, where k ≤ m is the least number of peers that are to be disclosed is:

fidany (N, b, m, t, k) =

(m k)  i=1

(−1)i−1

−(i−1) (mi) j1 =1

···

−(i−i) (mi)

fid (N, b, m, |

ji =ji−1 +1

k 

Yjz |, t) ,

z=1

k where z=1 Yjz is the union of the set of peers identified by each Yjz . Given the distribution fidany (N, b, m, t, k), the probability that at least k peers can be identified after exactly t observation is: pidany (N, b, m, t, k) = fidany (N, b, m, t, k) − fidany (N, b, m, t − 1, k) . Mean Time to Deanonymization. We are now able to provide the first existing formula to compute the mean number of observations to unambiguously identify at least k of Alice’s peer, which we call MTTD-k. Eidany (N, b, m, t, k) =

∞ 

t pidany (N, b, m, t, k) .

(14)

t=1

Note that in particular Eidany (N, b, m, t, 1), which is the mean number of observations needed to identify at least one of Alice’s peers (MTTD-1) should be considered as a more appropriate measurement of the lower bound of the anonymity provided by Mix systems. This is justified by the fact that MTTD-1 measures the time point, when the attacker gains the first unambiguous information about Alice’s communication partners and thus breaks the anonymity function of the Mix. In contrast to this, full disclosure,

A Combinatorial Approach for an Anonymity Metric N=400, varying b, m=10

varying N, b=10, m=10

350 300 250 200 150 100 50

400 HS HS2 MTTD-1

160 140

number of observations [t]

HS HS2 MTTD-1

400

number of observations [t]

number of observations [t]

N=400, b=10, varying m

180

450

120 100 80 60 40 20 0

0 0

200

400

600

800

1000

41

HS HS2 MTTD-1

350 300 250 200 150 100 50 0

0

5

10

15

20

25

30

35

40

0

5

10

batch size [b]

number of peers [N]

15

20

25

30

Alice’s peer size [m]

Fig. 4. Disclosure of at least one peer (MTTD-1), simulated full disclosure (HS), reduction of hypothesis set size below 2 (HS2)

or the number of observations to reduce the hypothesis set below a particular size a can not expose this threat. Figure 4 compares the expected number of observations to disclose at least one peer (MTTD-1) by using Eidany (N, b, m, t, 1) with the simulation result for the mean number of observations for full disclosure (HS) and the mean number of observation to reduce the hypothesis set to a size below 2 (HS2) computed by (9). The comparison is with respect to different parameters N , b, m. We can see that the partial disclosure (MTTD-1) appears noticeable earlier than full disclosure (HS) and before the hypothesis set is reduced to a size below 2. This difference increases, the more observations are required for full disclosure and shows that full disclosure alone is insufficient to measure anonymity. 4.3 Beyond Unambiguous Identification of Peers Our model also enables us to consider the number of Alice’s peers contained in any computed minimal hitting set after a particular number of observations. Figure 5 plots the number of observations to reduce each minimal hitting class Hi to a size less than a by using (8). The figure shows this for a = 1 by the HS1 curve and for a = 0.1 by the HS0.1 curve for the Mix parameters N = 400, b = 10, m = 10. We can see that minimal hitting set classes Hi containing less of Alice’s peers are reduced earlier than those containing more of Alice’s peers. Thus after a particular number of observations t, the number of hypotheses containing less than k Alice’s peers are negligible, since E|Hi | (t) < a for i > (m − k). In particular our plot shows that after about t = 40 observations, the at- Fig. 5. No. of observ. to reduce tacker will unlikely find a minimal hitting set containing size of Hi below 1 (HS1) and less than 7 of Alice’s peers. Thus any minimal hitting set 0.1 (HS0.1). computed by the attack contains with a high probability at least 70% of the peers of Alice. If we assume that minimal hitting sets are excluded stochastic independently from each other, then the probability to find at least k of m peers of Alice after at most t observations is: N=400, b=10, m=10, varying class Hi

number of observations [t]

90

HS1 HS0.1

80 70 60 50 40 30 20 10

0

fid k (N, b, m, k, t) ≥

m

2

4 6 Minimal hitting set class [Hi]

(1 − (1 − pinv (N, b, m, i))t )|Hi | .

i=m−k−1

8

10

42

D.V. Pham and D. Kesdogan

5 Conclusions In this work, we investigated the fundamental structures for anonymity that we identified as the hypothesis set. The analysis of the hypothesis set is made under the assumption of a uniformly distributed communication of the senders and of static peer sets. This assumption is chosen in a way, such that we obtain a conservative consideration of anonymity, which can be considered as a lower bound of the anonymity provided by Mixes in the real world. Based on the ExactHS [23], we derived a comprehensive mathematic model to probabilistically describe the inherent properties of the hypothesis set in detail. In particular we estimated in Sect. 4 the size of the hypothesis set, the structure of hypotheses in it, the size of those structures and the probability that particular hypotheses are included in it, with respect to the parameters N ,b,m at any number of observations. This information enabled a fine granular measurement of anonymity that also measures those protection states before the point of full disclosure. In particular MTTD-k introduced in Sect. 4.2 determined the mean number of observations to disclose from one to all Alice’s peers. The evaluations of MTTD -1 (see Fig. 4) showed that the first unambiguous knowledge about one of Alice’s peers can be gained noticeably before full disclosure. It is therefore not sufficient to solely consider full disclosure (which is the focus of all existing hypothesis set based approaches e.g. [5, 23, 25]) for anonymity measurement. Furthermore, our model even enabled an analysis granularity beyond the scope of unambiguous identification of peers. This is shown in Sect. 4.3, which provided the probability to find a certain number of Alice’s peers in randomly computed hypotheses. This insight opens the door for a new refined metric, which also covers unambiguous information in the anonymity consideration. We also showed that our mathematic model and the resulting measurements were precise and meaningful by comparison to simulations. All results were in reasonable scopes and reflected the right relations to the Mix parameters N , b, m and the number of observations t. The elementary model and analyses of our work are important for designers and users of Mix networks. It enables Alice to estimate how much information she is going to leak about her peers with each of her communications. That way she knows when to stop communicating, or to add dummy traffic to remain information theoretic anonymous, such that even attackers with unlimited computing power cannot reveal her peers. In the future we intend to integrate the leakage of unambiguous and ambiguous information about Alice’s peers in one metric. In conjunction with this, we will analyse the uncertainty caused by dummy traffic. Finally we will refine our model to expand the analysis beyond the uniform communication assumption to get closer to the real world.

References [1] Chaum, D.L.: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2), 84–88 (1981) [2] Pfitzmann, A., K¨ohntopp, M.: Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 1–9. Springer, Heidelberg (2001)

A Combinatorial Approach for an Anonymity Metric

43

[3] Eusgeld, I., Freiling, F.C., Reussner, R. (eds.): Dependability Metrics. LNCS, vol. 4909. Springer, Heidelberg (2008) [4] Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949) [5] Kesdogan, D., Agrawal, D., Pham, V., Rauterbach, D.: Fundamental Limits on the Anonymity Provided by the Mix Technique. In: IEEE Symposium on Security and Privacy (May 2006) [6] Clauß, S., Schiffner, S.: Structuring Anonymity Metrics. In: DIM 2006: Proceedings of the second ACM workshop on Digital identity management, pp. 55–62 (2006) [7] Deng, Y., Pang, J., Wu, P.: Measuring Anonymity with Relative Entropy. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 65–79. Springer, Heidelberg (2007) [8] D´ıaz, C., Seys, S., Claessens, J., Preneel, B.: Towards Measuring Anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003) [9] Edman, M., Sivrikaya, F., Yener, B.: A Combinatorial Approach to Measuring Anonymity, 356–363 (2007) [10] Serjantov, A., Danezis, G.: Towards an Information Theoretic Metric for Anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 259–263. Springer, Heidelberg (2003) [11] T´oth, G., Horn´ak, Z., Vajda, F.: Measuring Anonymity Revisited. In: Proceedings of the Ninth Nordic Workshop on Secure IT Systems, pp. 85–90 (November 2004) [12] Zhu, Y., Bettati, R.: Anonymity vs. Information Leakage in Anonymity Systems. In: ICDCS 2005: Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, pp. 514–524 (2005) [13] Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in Information Flow. In: Proceedings of the 18th IEEE workshop on Computer Security Foundations, pp. 31–45 (2005) [14] Reiter, M.K., Rubin, A.D.: Crowds: Anonymity for Web Transactions. ACM Transactions on Information and System Security 1, 66–92 (1998) [15] Mantel, H.: A Uniform Framework for the Formal Specification and Verification of Information Flow Security. PhD thesis, Universit¨at des Saarlandes (July 2003) [16] Schneider, S., Sidiropoulos, A.: CSP and Anonymity. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 198–218. Springer, Heidelberg (1996) [17] Halpern, J.Y., O’Neill, K.R.: Anonymity and Information Hiding in Multiagent Systems 13, 483–514 (2005) [18] Hughes, D., Shmatikov, V.: Information Hiding, Anonymity and Privacy: a Modular Approach. J. Comput. Secur. 12, 3–36 (2004) [19] Padlipsky, M.A., Snow, D.W., Karger, P.A.: Limitations of End-to-End Encryption in Secure Computer Networks. Technical Report ESD-TR-78-158 (August 1978) [20] Pfitzmann, A.: Diensteintegrierende Kommunikationsnetze mit teilnehmer¨uberpr¨ufbarem Datenschutz. Informatik-Fachberichte, vol. 234 (1990) [21] Kesdogan, D., Pimenidis, L.: The Hitting Set Attack on Anonymity Protocols. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 326–339. Springer, Heidelberg (2004) [22] Kesdogan, D., Agrawal, D., Penz, S.: Limits of Anonymity in Open Environments. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 53–69. Springer, Heidelberg (2003) [23] Pham, V.: Analysis of the Anonymity Set of Chaumian Mixes. In: 13th Nordic Workshop on Secure IT-Systems (October 2008) [24] Pham, D.V.: Analysis of Attacks on Chaumian Mixes (Analyse von Angriffen auf Chaummixen). Master’s thesis, RWTH-Aachen (April 2006) [25] O’Connor, L.: Entropy Bounds for Traffic Confirmation. Cryptology ePrint Archive (2008), http://eprint.iacr.org/2008/

On Improving the Accuracy and Performance of Content-Based File Type Identification Irfan Ahmed1 , Kyung-suk Lhee1 , Hyunjung Shin2 , and ManPyo Hong1 1

2

Digital Vaccine and Internet Immune System Lab Graduate School of Information and Communication, Ajou University, South Korea {irfan,klhee,mphong}@ajou.ac.kr Department of Industrial and Information Systems Engineering, Ajou University, South Korea [email protected]

Abstract. Types of files (text, executables, Jpeg images, etc.) can be identified through file extension, magic number, or other header information in the file. However, they are easy to be tampered or corrupted so cannot be trusted as secure ways to identify file types.In the presence of adversaries, analyzing the file content may be a more reliable way to identify file types, but existing approaches of file type analysis still need to be improved in terms of accuracy and speed. Most of them use bytefrequency distribution as a feature in building a representative model of a file type, and apply a distance metric to compare the model with bytefrequency distribution of the file in question. Mahalanobis distance is the most popular distance metric. In this paper, we propose 1) the cosine similarity as a better metric than Mahalanobis distance in terms of classification accuracy, smaller model size, and faster detection rate, and 2) a new type-identification scheme that applies recursive steps to identify types of files. We compare the cosine similarity to Mahalanobis distance using Wei-Hen Li et al.’s single and multi-centroid modeling techniques, which showed 4.8% and 13.10% improvement in classification accuracy (single and multi-centroid respectively). The cosine similarity showed reduction of the model size by about 90% and improvement in the detection speed by 11%. Our proposed type identification scheme showed 37.78% and 31.47% improvement over Wei-Hen Li’s single and multi-centroid modeling techniques respectively. Keywords: file type identification, byte frequency distribution, cosine similarity, Mahalanobis distance, linear discriminant, cluster analysis.

1

Introduction

File type identification is an important task for many security applications to work efficiently. For example, filtering email attachments may require blocking inbound attachment types that may contain malicious contents. Virus scanners may be configured to skip some file extensions; in Norton Antivirus 2008 for C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 44–59, 2009. c Springer-Verlag Berlin Heidelberg 2009 

On Improving the Accuracy of Content-Based File Type Identification

45

example, we have an exclusion option to specify file types to skip for virus scan [1]. Some applications raise alerts before opening unrecognized (therefore suspicious) file extensions; for instance, Windows Media player raises an alert when user tries to open a file of unrecognized extension. Some steganalysis programs also rely on file type detection; for example, stegdetect [2], which detects steganographic contents in images, uses libmagic1 package [3] to determine file type using magic numbers. However, they are easy to be tampered or corrupted so cannot be trusted as secure ways to identify file types. In the presence of adversaries, analyzing the file content may be a more reliable way to identify file types. Solutions that analyze file content usually build a representative model of a file type by averaging the byte frequency distributions of sample files, and use a measure to find out the consistency between the model and the byte frequency distribution of the file in question. Moreover, mahalanobis distance is a popular measure to compare byte frequency distributions such as it is used in PAYL [4], Fileprint [6], [5], [7]. However, existing approaches of file type analysis still need to be improved in terms of accuracy and speed. In this paper, we propose two schemes to improve the analysis of file content for type identification. First, we show that the cosine similarity [8] is a better metric than mahalanobis distance in terms of classification accuracy, smaller model size and faster detection rate. Secondly, we propose a new type identification scheme that recursively refines the type of a file in question. We use Wei-Hen Li et al [6]’s modeling technique to compare the cosine similarity (CS) and Mahalanobis distance (MD). Wei-Hen Li’s work is a representative modeling technique in that it uses MD and its single centroid model is also used by other schemes [9], [10], [11]. Its multi-centroid model is comparable to our recursive scheme. In our proposed type identification scheme, we group files with similar bytefrequency pattern irrespective of their file types (whereas Wei-Hen Li’s technique groups files with the same type). Then we apply the linear discriminant analysis [12] to identify the type of each file. Our proposed scheme shows better result than Wei-Hen Li’s single and multi-centroid modeling technique (considering both CS and MD as distance metric). This paper is organized as follows. Section 2 presents the related work. Section 3 describes the assumptions that are required for robust techniques of bytefrequency analysis, and explains the dataset used in this paper. Section 4 explains our experiment results on cosine similarity and Mahalanobis distance. Section 5 discusses the weaknesses of Wei-Hen Li’s modeling technique. Section 6 presents our recursive file-type identification scheme. Section 7 analyzes the proposed scheme. In section 8, we compare the Wei-Hen Li’s single and multi-centroid models (using both CS and MD) with the proposed scheme, and Section 9 shows the conclusions and future work.

2

Related Work

This section discusses the previous techniques for file type identification. Some of these techniques are commonly used by operating systems where the file type

46

I. Ahmed et al.

information is explicitly written either in the file header or in the file name. There are other techniques which analyze the file content to identify the file type. The most common and the simplest way to identify file type is to look at the file’s extension [13], but this can be easily spoofed by users with malicious intent. Novice users could also unintentionally change the file extension while renaming the file name. Malwares could also easily hide themselves by having file extensions that virus scanners skip. Another method to identify file type is to look at magic numbers in the file [14]. For example, GIF files begin with ASCII representation of either GIF87a or GIF89a depending on the standard. ZIP files always have the magic number ”PK” at the beginning of the file. However, only binary files have magic numbers so it is not applicable to text files. As with the file extension, it can also be easily spoofed. For instance, malcodes can be hidden using code obfuscation and alphanumeric encoding [15], [16], [17], [18]. McDaniel and Heydari [19] introduce three algorithms to identify file types by analyzing file content. In byte frequency analysis algorithm (BFA), they calculate byte-frequency distribution of different files and generate ”fingerprint” of each file type by averaging byte-frequency distribution of their respective files. They also calculate correlation strength as another characterizing factor. They take the difference of the same byte in different files. If the difference gets smaller, the correlation strength increases towards 1 or vice versa. In byte-frequency crosscorrelation algorithm, they find the correlation between all byte pairs. They calculate the average frequency between all byte pairs and correlation strength similar to the BFA algorithm. In file header/trailer algorithm, the file headers and trailers are byte patterns that appear in a fixed location at the beginning and end of a file. They maintain an array of 256 for each location and the array entry corresponding to the value of the byte is filled with correlation strength of 1. They construct the fingerprint by averaging the correlation strength of each file. In these algorithms, they compare the file with all the generated fingerprints to identify its file type. Wei-Hen Li et al. identify file types using n-gram analysis. They calculate 1-gram frequency distribution of files and build 3 different models of each file type: single centroid (one model of each file type), multi-centroid (multiple models of each file type), and exemplar files (set of files of each file type) as centroid. They refer them as ”fileprint”. In single and multi-centroid models, they calculate mean and standard deviation of 1-gram frequency distribution of files, and use Mahalanobis distance to compare these models with 1-gram distribution of given file to find the closest model. In exemplar file model, they compare 1-gram distribution of exemplar file with that of given file (there is no variance computed), and Manhattan distance is used instead of Mahalanobis distance. Their solution cannot identify files having similar byte-frequency distributions such as MS Office file formats (such as Word and Excel) but treat them as one group or one abstract file type.

On Improving the Accuracy of Content-Based File Type Identification

47

Karresand and Shahmehri [9], [10] proposed the  Oscar method for identifying the types of file fragments. They build the single centroid fileprints [6] but use quadratic distance metric and 1-norm as distance metric to compare the centroid with the byte frequency-distribution of file. Although Oscar identifies any file type, they optimized their algorithm for JPG file using specific byte pairs in the file, and reported 99.2% detection rate with no false positives. They also use rate of change of bytes, i.e. the difference of two consecutive byte values where they consider the ordering information of bytes. Veenman [11] extracts three features from file content. These features are 1) byte frequency distribution, 2) entropy derived from byte-frequency distribution of files, and 3) the algorithmic or Kolmogorov complexity that exploits the substring order [20]. The Fisher linear discriminant is applied to these features to identify the file type. Calhoun and Coles [21] extended Veenman’s work by building classification models (based on the ASCII frequency, entropy, and other statistics) and apply linear discriminant to identify file types. They also argued that files of same type probably have longer substrings in common than that of different types. Our recursive scheme also uses the byte-frequency distribution as a feature and linear discriminant analysis for classification. However, the main difference of ours from Veenman’s scheme is the way we build the classification model for each file type. Veenman computes one discriminant function for each file type using all its sample files. However, our scheme combines the similar byte frequency files in groups irrespective of their file types using clustering, and computes the linear discriminant function for each file type in each group. Hence multiple functions could be computed for each file type. Veenman reported 45% overall accuracy while our scheme shows 77% overall accuracy.

3 3.1

Assumptions and Dataset Details Assumptions for Byte-Frequency Distributions of File Types

We make two assumptions for byte-frequency distribution of files. 1. Byte-frequency distributions of different file types could be homogeneous. That is, they could have similar byte frequency distributions (Figure 1(a) and 1(b)) 2. Byte-frequency distributions of a file type could be heterogeneous. That is, files of the same type could have different byte-frequency distributions (Figure 1(c) and 1(d). We believe that a robust solution for file-type identification, which uses byte-frequency distribution to build representative models of file types, should satisfy these assumptions. The proposed recursive scheme is based on these assumptions.

48

I. Ahmed et al.

(a) ASP

(b) HTML

(c) DOC

(d) DOC

Fig. 1. a) and b) show that ASP and HTML can have similar byte-frequency patterns. c) and d) show that two DOC files can have different byte-frequency patterns (X-axis represents the byte patterns and y-axis the relative byte frequency).

3.2

Dataset

In our experiments, we used two datasets to analyze different file-type identification schemes and our scheme. One dataset is used to build the representative models of file types and the other to test the classification accuracy of the identification schemes. 10 file types (JPG, HTML, GIF, EXE, MP3, PDF, TXT, DOC, XLS, and ASP) are included in each dataset, with each type having 100 files. These file types are chosen since they are popularly used and cover a broad range of file contents such as binary files (JPG, GIF, EXE, MP3, PDF), printable character files (TXT, HTML, ASP), and the files that contain binary and characters (DOC and XLS).

4 4.1

Cosine Similarity: An Efficient Measure to Compare Byte Frequency Vectors Cosine Similarity

Cosine similarity is a measure to compare two vectors. If is a byte-frequency vector of a test file and is the representative model vector of a file type (that is achieved by averaging the byte-frequency distributions of the sample files of the file type), cosine similarity is defined by Eq. 1. cos(x, y¯) =

x.¯ y |x||¯ y|

(1)

On Improving the Accuracy of Content-Based File Type Identification

49

n Where the vector dot product, x.¯ y = ¯k and |x| = k=1 xk y n . indicates √ 2 = x x.x is the length of vector , The value of cosine similarity lies k=1 k between 0 and 1. If the cosine similarity is 1, cosine angle between x and y¯ is 0, thus x and y¯ is the same except the magnitude. If the cosine similarity is 0, cosine angle between x and y¯ is 90◦ , which means they are absolutely dissimilar to each other. Cosine similarity is quite different from Mahalanobis distance, as it does not use standard deviation but it takes account of the varying size of files. Whereas the byte-frequency distribution of a file needs to be normalized (by dividing each frequency with file size) in order to use Mahalanobis distance, there is no need to normalize the files when using cosine similarity. In our experimental results presented in next section we found that, unlike Mahalanobis distance, cosine similarity does not lose accuracy even if we truncate the representative model of a file type (so that it contains a subset of highly occurring byte patterns). Thus, using a small number of byte patterns makes it more efficient as it requires less memory and computation without losing accuracy. 4.2

Performance Comparison between Cosine Similarity and Mahalanobis Distance

We use Wei-Hen Li’s modeling technique in comparing the classification accuracy of cosine similarity and Mahalanobis distance. The reasons we use their technique are that it uses Mahalanobis distance, its single-centroid model is a representative technique also used by other schemes [9], [10], [11], and its multicentroid model is comparable to our recursive scheme presented in later section. They build representative model of file type, by combining the byte-frequency distribution of several files of the same type (considering each byte pattern in the distribution as a variable) and averaging their relative frequencies. It is referred as single-centroid model. They also proposed to build multiple representative models of a file type in a similar fashion, but in this case they further group the files of a same type based on their byte-frequency distributions. Such models are referred as multi-centroid model. We applied, for each file type, multiple truncated models that contain only subsets of byte patterns. For this, we first sorted the byte patterns of a file type (in the order of highest occurring to lowest) and then create multiple models by gradually reducing the number of byte patterns. The rationale behind this is that byte-patterns that rarely occur in a file type may not be representative of that type, but rather be noises. Hence excluding them from the model may be beneficial since it requires smaller memory and computation, and may even increase the classification accuracy in some cases We also use the simplified Mahalanobis distance formula that is used in WeiHen Li’s work, which is defined as follows. n−1 (|xi − .¯ yi |) d(x, y¯) = i=0 ¯ (2) δi

50

I. Ahmed et al.

where x is a byte-frequency vector of a test file, and y¯ and δ¯ are the mean value and standard deviation of the byte-frequency distributions of the sample files (used to build the model of a file type). Figure 2 (from a to d) shows the classification accuracy of Mahalanobis distance and cosine similarity (on some of the 10 sample file types as mentioned in section 3.2) using different percentages of byte-patterns of single- and multicentroid models). We used K-means algorithm (as used in Wei-Hen Li’s work) to build multi-centroid models. We chose a random value of K (3 in this experiment) as Wei-Hen Li et al. reported that they observed similar results on different values of K. We observed that, in most of the file types, the classification accuracy is degraded as we decrease the number of byte-patterns in the model when using Mahalanobis distance. However using cosine similarity, the classification accuracy either remains the same or shows some improvement. Figure 2 (e) shows the average classification accuracy of Mahalanobis distance and cosine similarity. We can observe that cosine similarity shows better accuracy than Mahalanobis distance, and the multi-centroid model shows better accuracy than single-centroid model. We can also observe that the cosine similarity shows not much difference in classification accuracy even if only 10% of (high frequency) byte-patterns are used. This experiment suggests that we may use a small percentage of high frequency byte-patterns, which reduces the model size and also improve the computation time to compute the cosine similarity values. Figure 2 (f) shows that by using only 10% of byte-patterns the elapsed time is reduced by approximately 11%. Our experiment considers each byte-pattern as a variable (that is, 1-gram analysis). Since the size of model using 1-gram frequency distribution is small (there are only 256 patterns), there is not much opportunity for improvement on memory space and time. However, models using higher ngrams [22], [23] (i.e. a variable consists of a sequence of multiple bytes) are much bigger since the number of distinct patterns grows exponentially. Therefore the improvement in model size and computation time will be much greater if we use higher n-gram (higher n-gram is out of the scope of this paper).

5

Accuracy of Wei-Hen Li et al.’s Single- and Multi-centroid Models

Figure 2 (e) shows that the average classification accuracy using Wei-Hen Li’s modeling technique is less than 80%, which may not be satisfactory for many applications. This section presents a discussion of why we think it is so. Our reasoning below is the basis of our proposed scheme in the next section. In section 3, we argue that files of a same type could have different bytefrequency patterns. In such case, averaging the different byte-frequency patterns i.e. building a single-centroid model would not yield an accurate representative model (figure 3). In multi-centroid model, a model is built using the files of the same type having similar byte frequency patterns. In section 3, we also argue that files of different types could have similar byte-frequency patterns. Hence it is possible that similar models of different file types are built (figure 4).

On Improving the Accuracy of Content-Based File Type Identification

(a) Comparison of MD and CS on SC and MC models using ASP files

(b) Comparison of MD and CS on SC and MC models using HTML files

(c) Comparison of MD and CS on SC and MC models using TXT files

(d) Comparison of MD and CS on SC and MC models using PDF files

(e) Average classification accuracy of MD and CS on SC and MC models using 10 file types mentioned in figures (a to j)

51

(f) Improvement in elapsed time of file type detection by processing 1500 files (419MB of total size) on different percentages of byte patterns of representative models.

Fig. 2. a) and b) show that ASP and HTML can have similar byte-frequency patterns. c) and d) show that two DOC files can have different byte-frequency patterns (X-axis represents the byte patterns and y-axis the relative byte frequency).

52

I. Ahmed et al.

(a) DOC single centroid model

(b) A particular DOC file

Fig. 3. Inaccurate single centroid model of the DOC file type. (x-axis represents byte patterns and y-axis is the relative byte frequency).

(a) HTML

(b) TXT

(c) ASP

Fig. 4. Similar multi-centroid models of different file types. (x-axis represents bytepatterns and y-axis is the relative byte frequency).

Therefore, when identifying the type of a file, both algorithms (i.e. inaccurate single-centroid model and similar multi-centroid models of different file types) are easily confused with similar nature of other file types (such as TXT, ASP, and HTML) and produces inaccurate results.

6

The Proposed File-Type Identification Scheme

A weakness in Wei-Hen Li’s multi-centroid model is that it does not cope well with different types of files having similar byte-frequency distributions. Based on this observation, we propose a scheme that applies recursive steps to classify file types. Our scheme builds a representative model in two steps; we first divide files of varying types (in the sample space) into a few clusters, each of which contain files with similar byte-frequency patterns irrespective of their actual types. Then we apply linear discriminant analysis to find the distinguishing byte-patterns (i.e. a model of a file type) from similar byte-frequency distributions in each cluster. 6.1

Building a Representative Model of a File Type

Clustering is an exploratory statistical procedure to naturally group the data into different clusters. At this stage we do not make any consideration on file types.

On Improving the Accuracy of Content-Based File Type Identification

53

Fig. 5. Identifying a test file using our proposed scheme

After the clusters are built, each cluster could have files with many different types (although the files have similar byte-pattern frequencies). Therefore we need to further divide the type of files in each cluster. For this we perform linear discriminant analysis (LDA), which finds linear combination of byte-patterns to make further distinction of file types. It derives discriminant function for each file type in each cluster. For instance, if two clusters have mp3 files, LDA derives two linear discriminant functions (i.e., one for each cluster). The output of linear discriminant function is called discriminant score, which is supposed to be the least for actual file type. 6.2

Detection Algorithm

Figure 5 illustrates the detection process of our proposed scheme. When a file enters into the proposed system for type identification, its relative byte frequencies is calculated. The file is then assigned to the cluster having the most similar byte-pattern frequencies. If the assigned cluster represents only one file type, the same type is assigned to the file. Otherwise LDA is used to identify the exact type of the file. The discriminant scores are computed for all file types in the cluster using their respective discriminant function. The file type having least discriminant score is deemed to be the type of file.

7 7.1

Evaluation of Our Scheme Cluster Analysis to Group Similar Byte-Frequency Distribution Files

In this section, we describe how files are grouped using clustering. We use Ward’s clustering method [24] which forms clusters by minimizing the total withincluster sum of squares. For instance, if XY is the cluster obtained by combining clusters X and Y, the sum of within-cluster distances (WXY ) are WXY =

n XY  i=1



(yi − y¯XY ) (yi − y¯XY )

(3)

54

I. Ahmed et al.

(a) Grouping file types using 3 clusters

(b) Grouping file types using 6 clusters

(c) Grouping file types using 8 clusters Fig. 6. Grouping of file types on different number of clusters

¯Y ) X +nY y where yi are data points, y¯XY = (nX(ny¯X and , nX , nY and nXY = nX +nY +nY ) are number of data points in X,Y and XY respectively. Figure 6 illustrates the grouping of different file types and their respective percentage. We group files in 3, 6 and 8 clusters. Figure 6 shows that certain file types are always grouped together. These file types usually have similar content characteristics. For example, ASP, HTML, and TXT files usually contain ASCII characters therefore they are grouped together. Also multiple file types lie in one cluster and same file type in multiple clusters. Such observation supports our assumptions made in section 3, which states that files with different types could have similar byte-frequency patterns and files with the same type could have dissimilar patterns. We observed some outlier clusters and did not use them in type identification process. We consider them as outlier because each of them only consists of one TXT type file.

On Improving the Accuracy of Content-Based File Type Identification

7.2

55

Linear Discriminant Analysis to Classify Each File Type

This section discusses the classification accuracy. In detection phase, the test dataset is used to find out the detection accuracy of the clustering, LDA and overall system. If the type of a test file does not match with any of the cluster file type, it is said to be misclassified. For example, if file f of type X is assigned to cluster Y but cluster Y does not have type X, then file f is considered misclassified. Hence the accuracy (%) of assigning files to their respective clusters is calculated as follows. Accuracy(%) =

(Total number of files - misclassified files) total number of files

(4)

The files that are not misclassified in the clustering step are further processed by LDA if the assigned cluster has multiple file type. Each cluster has its own linear discriminant functions for its file types. For example, if the file f is assigned

Fig. 7. Accuracy achieved by LDA while detecting 10 file types in different number clusters

Fig. 8. Average accuracy (%) achieved by clustering and LDA when different number of clusters are used. Overall shows the combined accuracy of clusters and LDA.

56

I. Ahmed et al.

to a cluster, linear discriminant score is computed for each file type using its respective function and the file type having least discriminant score is considered as the type of test file f. We use the Eq. 4 to compute the accuracy of LDA for each file type. Figure 7 shows that file types (such as MP3 and JPG) that reside only in one cluster have almost achieved 100% accuracy. However types EXE, DOC, XLS, and GIF reside in multiple clusters (because their byte-pattern frequencies are quite similar) and the results of LDA on them were less accurate. Figure 8 shows the average detection accuracy of the clustering, LDA, and the overall proposed system. Figure 8 also shows the average accuracy of Ward’s clustering method when different number of clusters is used. It shows that the accuracy remains almost constant when we increase the number of clusters.

8

Comparison of Single- and Multi-centroid Models with the Proposed Scheme

Figure 9 shows the comparison of the proposed scheme with single- and multicentroid models (using both cosine similarity and Mahalanobis distance). We

Fig. 9. Classification accuracy (%) achieved by our proposed scheme (6 clusters are used) and single and multiple centroid models using cosine similarity (CS) and Mahalanobis distance (MD) while classifying 10 sampled file types

Fig. 10. Comparison of average classification accuracy among single- and multicentroid models and the proposed scheme

On Improving the Accuracy of Content-Based File Type Identification

57

took the classification accuracy using all the 256 byte-patterns in single and multi-centroid models (i.e. we did not truncate the models). Figure 9 shows that in most cases our recursive scheme has highest accuracy rate, and on average it achieved substantial improvement in classification accuracy over single- and multi-centroid models (Figure 10).

9

Conclusion and Future Work

This paper presented two approaches to improve the classification accuracy in identifying file types using their byte-frequency distributions. The first approach is to use cosine similarity as a distance metric to find out the consistency between the byte frequency-distribution of a test file and representative model of a file type. Based on our experimental results, we conclude that cosine similarity is a better measure than Mahalanobis distance as it improved 4.8% and 13.10% classification accuracy using Wei-Hen Li’s single and multi centroid models respectively, and did not lose accuracy when using a small percentage of highlyoccurred byte-patterns in the representative models. Using small percentage of byte patterns results in smaller model size and faster detection rate. Our experiment shows that cosine similarity reduces the detection speed by approximately 11% when only 10% of highly-occurred byte-patterns of the representative model are used. We expect that the improvement in model size and computation time will be much greater if we use higher n-gram. Wei-Hen Li’s multi-centroid model performs better than its single-centroid model but still suffers when building models of different file types showing similar byte patterns. We proposed a recursive scheme which is comparable to WeiHen Li’s multi-centroid model but is more accurate (figure 10 shows 31.47% improvement). From cluster analysis, we noticed that files of similar nature file types are always grouped together. For instance, the text-based files (ASP, TXT and HTML) are always grouped together. Also DOC and XLS which contains both text and binary characters are always found in same clusters. The accuracy of linear discriminant in our experiment is still not satisfactory. As our future work, we plan to improve our grouping scheme, especially focusing on identifying text-based file types.

Acknowledgement This research is supported by the Ubiquitous Computing and Network(UCN) Project, Knowledge and Economy Frontier R&D Program of the Ministry of Knowledge Economy(MKE) in Korea and a result of subproject UCN 09C1-C520S. H.Shin would like to gratefully acknowledge support from Post Brain Korea 21 and the research grant from Korean Government (MOEHRD, Basic Research Promotion Fund, KRF-2008-531-D00032).

58

I. Ahmed et al.

References 1. Exclusion option to skip the files for the scanning in Norton antivirus, http://service1.symantec.com/SUPPORT/nav.nsf/0/ c829006aa01d540b852565a6007770d8?OpenDocument 2. Stegdetect, http://packages.debian.org/unstable/utils/stegdetect 3. Libmagic1 package, http://packages.debian.org/unstable/libs/libmagic1 4. Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004) 5. Ahmed, I., Lhee, K.-s.: Detection of malcodes by packet classification. In: Workshop on Privacy and Security by means of Artificial Intelligence, ARES 2008, pp. 1028– 1035 (2008) 6. Li, W.J., Wang, K., Stolfo, S., Herzog, B.: Fileprints: Identifying File Types by ngram Analysis. In: Workshop on Information Assurance and security (IAW 2005), United States Military Academy, West Point, NY, pp. 64–71 (2005) 7. Srinivasan, N., Vaidehil, V.: Reduction of False Alarm Rate in Detecting Network Anomaly using Mahalanobis Distance and Similarity Measure. In: Proceedings of ICSCN, pp. 366–371 (2007) 8. Tan, P.-N., Steinbach, M., Kumar, V.: Introduction to data mining. AddisonWesley, Reading (2005) 9. Martin, K., Nahid, S.: Oscar - file type identification of binary data in disk clusters and RAM pages. In: IFIP security and privacy in dynamic environments, pp. 413– 424 (2006) 10. Martin, K., Nahid, S.: File type identification of data fragments by their binary structure. In: Proceedings of the IEEE workshop on information assurance, pp. 140–147 (2006) 11. Veenman, C.J.: Statistical disk cluster classification for file carving. In: IEEE third international symposium on information assurance and security, pp. 393–398 (2007) 12. Rencher, A.C.: Methods of Multivariate Analysis. Wiley Interscience, Hoboken (2002) 13. File extensions, http://www.file-extension.com/ 14. Magic numbers, http://qdn.qnx.com/support/docs/qnx4/utils/m/magic.html 15. Nachenberg, C.: Polymorphic virus detection module, United States Patent # 5,826,013 (1998) 16. Szor, P., Ferrie, P.: Hunting for metamorphic. In: Proceedings of Virus Bulletin Conference, pp. 123–144 (2001) 17. RIX, Writing IA32 Alphanumeric Shell codes, http://www.phrack.org/issues.html?issue=57&id=15#article 18. Eller, R.: Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel platforms (2003), http://community.core-di.com/~ juliano/bypassmsb.txt 19. McDaniel, M., Hossain Heydari, M.: Content Based File Type Detection Algorithms. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (2003) 20. Kolmogorov, A.N.: Three approaches to the quantitative definition of information. Problems of Information Transmission, 1–11 (1965) 21. Calhoun, W.C., Coles, D.: Predicting the types of file fragments. Digital Investigation 5(1), 14–20 (2008)

On Improving the Accuracy of Content-Based File Type Identification

59

22. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Kr¨ ugel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006) 23. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation: in 16th USENIX Security Symposium (2007) 24. Ward, J.H.: Hierarchical grouping to optimize an objective function. Journal of the American Statistical Association, 235–244 (1963)

Attacking 9 and 10 Rounds of AES-256 Ewan Fleischmann, Michael Gorski, and Stefan Lucks Bauhaus-University Weimar, Germany {Ewan.Fleischmann,Michael.Gorski,Stefan.Lucks}@uni-weimar.de

Abstract. The AES-256 has received less attention in cryptanalysis than the 192 or 128-bit versions of the AES. In this paper we propose new attacks on 9 and 10-round AES-256. In particular we present a 9-round attack on AES-256 which has the lowest data complexity of all known 9-round attacks. Also, our 10-round attack has a lower data complexity than all known attacks on AES-256. Also, our attack is the first that uses a key differential with probability below one in combination with a related-key boomerang attack. This leads to better related-key differentials which contain less non-zero byte differences and rounds with zero byte differences in each byte of a subkey difference. Keywords: block ciphers, AES, differential cryptanalysis, related-key boomerang attack.

1

Introduction

The Advanced Encryption Standard (AES) [5] has become one of the most used symmetric encryption algorithms in the world. Differential cryptanalysis [3] is is the source for essentially all attacks on block ciphers like the AES (i.e. Rijndael). It recovers subkey bits for the first or the last rounds, while using differential properties of the underlying cipher. The boomerang attack [15] is a strong extension to differential cryptanalysis in order to break more rounds than differential attacks can do, since the cipher is treated as a cascade of two sub-ciphers, using short differentials in each subcipher. These differentials are combined in an adaptive chosen plaintext and ciphertext attack to exploit properties of the cipher that have a high probability. Related-key attacks [1, 14] apply differential cryptanalysis to ciphers using different, but related, keys and consider the information that can be extracted from encryptions under these keys. Ciphers with a weak key schedule are vulnerable to this kind of attack. The idea of related-key differentials was presented in [11], while two encryptions under two related-keys are used. Several combinations of related-key and differential attacks were introduced in the following. Related keys combined with the impossible differential attack [10], the differential-linear attack [8] or the rectangle attack [2, 9, 12, 13]. Biryukov [4] proposed a boomerang attack on the AES-128 which can break up to 5 and 6 out of 10 rounds. The related-key boomerang attack was published first in [2], but was not used to attack the AES. C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 60–72, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Attacking 9 and 10 Rounds of AES-256

61

Table 1. Existing attacks on round reduced AES-256 Attack Partial Sums

# Rounds # Keys Data / Time 8

Source

1

2128 − 2119 / 2204

[6]

Partial Sums Related-Key Rectangle Related-Key Boomerang

9 9 9

256 4 215.5

2

/ 5·2 299 / 2120 267 / 2142.83

[6] [12] Section 4

Related-Key Rectangle Related-Key Rectangle† Related-Key Boomerang

10 10 10

256 64 215.5

2114.9 / 2171.8 2113.9 / 2172.8 267 / 2182.67

[2] [12] Section 5

†

85

224

: the attack is based on the 10-round attack of Biham et al. [2], which has some flaws.

In this paper we propose a 9-round related-key boomerang attack on the AES256 which has the lowest data complexity among all attacks presented so far. Furthermore we present the first attack on 10 rounds of the AES-256 described in full detail. There is a similar attack on 7 and 9-round AES-192 proposed by Gorski and Lucks at INDOCRYPT’08 [7]. In addition to their attack, we introduce a key differential that has a probability below one. This allows us to reduce data and time complexity. Up to now, this is the first paper which used this technique on the AES. Table 1 summarizes existing attacks on the AES-256 and our new attacks on 9 and 10 rounds. The paper is organized as follows: In Section 2 we give a brief description of the AES. In Section 3 we describe the related-key boomerang attack. In Section 4, we present a related-key boomerang attack on 9-round AES-256. We extend this attack to a 10-round attack which is presented in Section 5. We conclude the paper in Section 6.

2

Description of the AES

The AES [5] is a block cipher using data blocks of 128 bits with 128, 192 or 256-bit cipher key. A different number of rounds is used depending on the length of the cipher key. The AES has 10, 12 and 14 rounds when a 128, 192 or 256-bit cipher key is used respectively. The plaintexts are treated as a 4 x 4 byte matrix, which is called state. Any single round applies four operations to the state: – SubBytes (SB) is a non-linear byte-wise substitution applied to every byte of the state matrix. – ShiftRows (SR) is a cyclic left shift of the i-th row by i bytes, where i ∈ {0, 1, 2, 3}. – MixColumns (MC) is a multiplication of each column by a constant 4 x 4 matrix. – AddRoundKey (AK) is a XORing of the state and a 128-bit subkey which is derived from the cipher key.

62

E. Fleischmann, M. Gorski, and S. Lucks

An AES round function applies the SB, SR, MC and AK operation in order. Before the first round, a whitening AK operation is applied and the MC operation is omitted in the last round because of symmetry. We concentrate on the 256-bit version of the AES in this paper and refer to [5] for more details on the other versions. Let Wi be a 32-bit word and Wi,j the i-th byte in Wj , then the 256bit cipher key is represented by W0 ||W1 ||W2 || . . . ||W7 . The 256-bit key schedule algorithm works as follows: – For j = 8 to 59 • If j ≡ 0 mod 8, then • W0,j = W0,j−8 ⊕ SB(W1,j−1 ) ⊕ Rcon(j/8), ∗ For i = 1 to 3 • Wi,j = Wi,j−8 ⊕ SB(Wi+1 mod 4,j−1 ), • Else if j ≡ 4 mod 8, then ∗ For i = 0 to 3 do Wi,j = Wi,j−8 ⊕ SB(Wi,j−1 ), • Else ∗ For i = 0 to 3 do Wi,j = Wi,j−8 ⊕ Wi,j−1 , where Rcon denotes fixed constants depending on its input. The whitening key is W0 ||W1 ||W2 ||W3 , the subkey of round 1 is W4 ||W5 ||W6 ||W7 , the subkey of round 2 is W8 ||W9 ||W10 ||W11 and so on. The byte coordinates of a 4 x 4 state matrix are labeled as: x0 x1 x2 x3

3

x4 x5 x6 x7

x8 x9 x10 x11

x12 x13 x14 x15

The Related-Key Boomerang Attack

We now describe the related-key boomerang attack [2] in more detail. But first, we have to give some definitions. Definition 1. Let P, P  be two bit strings of the same length. The bit-wise xor of P and P  , P ⊕ P  , is called the difference of P, P  . Let  a be a known and  ∗ an unknown non-zero byte difference. Definition 2. α → β is called a differential if α is the plaintext difference P ⊕P  before some non-linear operation f (·) and β is the difference after applying these operation, i.e, f (P ) ⊕ f (P  ). The probability p is linked on a differential saying that an α difference turns into a β difference with probability p. The backward direction, i.e., α ← β has probability pˆ. Two texts (P, P  ) are called a pair, while two pairs (P, P  , O, O ) are called a quartet. Regularly, the differential probability decreases the more rounds are included. Therefore two short differentials covering only a few rounds each will be used instead of a long one covering the whole cipher. Related-keys are used to exploit some weaknesses of the key schedule to enhance the probability of the differentials being used. We call such differentials related-key differentials. We

Attacking 9 and 10 Rounds of AES-256

63

split the related-key boomerang attack into two steps. The related-key boomerang distinguisher step and the key recovery step. The related-key boomerang distinguisher is used to find all plaintexts sharing a desired difference that depends on the choice of the related-key differential. These plaintexts are used in the key recovery step afterwards to recover subkey bits for the initial round key. Distinguisher Step. During the distinguisher step we treat the cipher as a cas1 0 cade of two sub-ciphers EK (P ) = EK (P ) ◦ EK (P ), where K is the key used for encryption and decryption. We assume that the related-key differential α → β for E 0 occurs with probability p, while the related-key differential γ → δ for E 1 occurs with probability q, where α, β, γ and δ are differences of texts. The back−1 −1 ward direction E 0 and E 1 of the related-key differential for E 0 and E 1 are denoted by α ← β and γ ← δ and occur with probability pˆ and qˆ respectively. The related-key boomerang distinguisher involves four different unknown but relatedkeys Ka , Kb = Ka ⊕ ΔK ∗ , Kc = Ka ⊕ ΔK  and Kd = Ka ⊕ ΔK ∗ ⊕ ΔK  , where ΔK ∗ and ΔK  are chosen cipher key differences. The attack works as follows: 1. Choose a pool of s plaintexts Pi , i ∈ {1, . . . , s} uniformly at random and compute a pool Pi = Pi ⊕ α. 2. Ask for the encryption of Pi under Ka , i.e., Ci = EKa (Pi ) and ask for the encryption of Pi under Kb , i.e., C  = EKb (Pi ). 3. Compute the new ciphertexts Di = Ci ⊕ δ and Di = Ci ⊕ δ. −1 4. Ask for the decryption of Di under Kc , i.e., Oi = EK (Di ) and ask for the c −1    decryption of Di under Kd , i.e., Oi = EKd (Di ). – For each pair (Oi , Oj ), i, j ∈ {1, . . . , s} 5. If Oi ⊕ Oj equals α store the quartet (Pi , Pj , Oi , Oj ) in the set M . A pair (Pi , Pj ), i, j ∈ {1, . . . , s} with the difference α satisfies the differential 0 α → β with the probability p. The output of E0 is Ai and Aj , i.e., EK (Pi ) = Ai a 0    and EKb (Pj ) = Aj have a certain difference β = Ai ⊕ Aj with probability p. Using the ciphertexts Ci and Cj we can compute the new ciphertexts Di = Ci ⊕δ 1−1 1−1 and Dj = Cj ⊕ δ. Let Bi = EK (Di ) and Bj = EK (Dj ) are the decryption c d −1 1 of Di and Dj with EK i ∈ {c, d}. A difference δ turns into a difference γ after i 1−1 passing EKi with probability qˆ. Since δ = Ci ⊕ Di and δ = Cj ⊕ Dj we know that γ = Ai ⊕ Bi and γ = Aj ⊕ Bj with probability qˆ2 . Since we also know, that Ai ⊕Aj = β with probability p, it follows that (Ai ⊕Bi )⊕(Ai ⊕Aj )⊕(Aj ⊕Bj ) = γ ⊕ β ⊕ γ = β = (Bi ⊕ Bj ) holds with probability p · qˆ2 . A β difference turns 0−1 into an α difference after passing the differential EK with probability pˆ. Thus, i   a pair of plaintexts (Pi , Pj ) with Pi ⊕ Pj = α generates a new pair of plaintexts (Oi , Oj ) where Oi ⊕ Oj = α with probability p · pˆ · qˆ2 . A quartet containing these two pairs is defined as: Definition 3. A quartet (Pi , Pj , Oi , Oj ) which satisfies Pi ⊕ Pj = α = Oi ⊕ Oj , Ai ⊕ Aj = β = Bi ⊕ Bj ,

64

E. Fleischmann, M. Gorski, and S. Lucks

Ai ⊕ Bi = γ = Aj ⊕ Bj , Ci ⊕ Di = δ = Cj ⊕ Dj , is called a correct related-key boomerang quartet which occurs with probability P rc = p · pˆ · qˆ2 . A quartet (Pi , Pj , Oi , Oj ) which only satisfies the condition P ⊕ Pj = α = Oi ⊕ Oj is called a false related-key boomerang quartet. Figure 1 displays the structure of the related-key boomerang distinguisher step. Any attacker who applies a related-key boomerang distinguisher does not know the internal states Ai , Aj , Bi , Bj , since he can only apply a chosen plaintext and ciphertext attack on the cipher. The set M , which is the output of the related-key boomerang distinguisher, therefore contains correct and false relatedkey boomerang quartets. It is impossible to form another distinguisher which separates the correct and the false related-key boomerang quartets, since the interior differences β and γ cannot be computed. Key Recovery Step. The second step of the related-key boomerang attack is the key recovery step. From now on, an attacker operates on the set M that was stored by the related-key boomerang distinguisher. Let ka , kb , kc and kd be some key bits of the last round keys derived from the cipher keys Ka , Kb , Kc and Kd . Let dk (C) be the one round partially decryption of C under the key bits k. The key bits are related as kb = ka ⊕ Δk ∗ , kc = ka ⊕ Δk  and kd = ka ⊕ Δk ∗ ⊕ Δk  , where Δk ∗ and Δk  are differences of the last round key bits. These differences are derived from the cipher key difference ΔK ∗ and ΔK  . The key recovery step works as follows:

Fig. 1. The related-key boomerang distinguisher

Attacking 9 and 10 Rounds of AES-256

65

- For each key-bit combination of ka 1. Initialize a counter for each key-bit combination with zero. - For all quartets (P, P  , O, O ) stored in M 2. Ask for the encryption of P, P  , O, O under Ka , Kb , Kc and Kd respectively and obtain the ciphertext quartet C, C  , D, D . Decrypt the ciphertexts C, C  , D, D under ka , kb , kc , kd , i.e., C¯ = dka (C), C¯= ¯ = dkc (D) and D ¯  = dk (D ). dkb (C  ), D d ¯ and C¯ ⊕ D ¯  have a desired 3. Test whether the differences C¯ ⊕ D difference an attacker would expect depending on the related-key differential being used. Increase a counter for the used key-bits if the difference is fulfilled in both pairs. 4. Output the key-bits ka with the highest counter as the correct one. Four cases can be distinct in Step 3, since M contains correct and false relatedkey boomerang quartets and the key-bit combination ka can either be correct or false. A correct related-key boomerang quartet encrypted with the correct key bits will have the desired difference needed to pass the test in Step 3 with probability 1. Hence, the counter for the correct key bits is increased. The three other cases are: a correct related-key boomerang quartet is used with false key bits (P rcKf ), a false related-key boomerang quartet is used with the correct key-bits (P rf Kc ) or a false related-key boomerang quartet is used with a false key-bit combination (P rf Kf ). We assume that the cipher acts like a random permutation. In these cases we assume that P rcKf = P rf Kc = P rf Kf =: P rfilter . The probability that a quartet in one of the three undesirable cases is counted for a certain key bit combination is P rfilter . The related-key differentials have to be chosen such that the counter of the correct key bits is significantly higher than the counter of each false key bit combination. If the differentials have a high probability the key recovery step outputs the correct key-bits in Step 4 with a high probability much faster than exhaustive search.

4

Related-Key Boomerang Attack on 9-Round AES-256

In this section we mount a key recovery attack on 9-round AES-256 using 215.5 related keys. The cipher is represented as E = E 1 ◦ E 0 . E 0 is a differential containing rounds 1 to 5 and including the whitening key addition as well as the key addition of round 5. E 1 is a differential covering rounds 6 to 9. The notation used in our attack will be defined as: – Ka , Kb , Kc , Kd unknown cipher keys (256 bit). – Kai , Kbi , Kci , Kdi unknown round keys of round i, where i ∈ {0, 1, 2, . . . , 12} (128 bit). – ΔK ∗ , ΔK  chosen cipher key differences (256 bit). – ΔKi∗ , ΔKi known subkey differences of round i (128 bit). – Pi , Pj , Oi , Oj plaintexts.

66

E. Fleischmann, M. Gorski, and S. Lucks

– – – – –

Ci , Cj , Di , Dj ciphertexts. a is a known non-zero byte difference. b, b are an output differences of S-Box for the input difference a. c, d, e, f are unknown non-zero byte differences. ∗ is a variable unknown non-zero byte differences.

The Structure of the Keys. In our attack we use four related but unknown keys Ka , Kb , Kc and Kd . Let Ka be the unknown key an attacker would like to recover. The relation that is required for the attack is: Kb = Ka ⊕ ΔK ∗ Kc = Ka ⊕ ΔK  Kd = Ka ⊕ ΔK ∗ ⊕ ΔK  ΔK ∗ is the cipher key difference used for the first related-key differential E 0 and ΔK  is the cipher key difference used for the second related-key differential E 1 . An attacker only chooses the differences ΔK ∗ and ΔK  but does not know the keys. He chooses the cipher key differences as: aa ∗

ΔK =

b

a

and ΔK  =

Using the key schedule algorithm of AES-256 we can use the cipher key differences ΔK ∗ and ΔK  to derive the round key differences ΔK0∗ , . . . , ΔK8∗ and ΔK0 , . . . , ΔK8 respectively.1 These values are shown in Figure 2 and 3. The key ∗ differences ΔK0∗ , ΔK1∗ , . . . , ΔK10 occur with probability 1, while the key differ   ences ΔK0 , ΔK1 , . . . , ΔK10 occur with probability 2−14 . This is the probability that an a difference will be transformed into a certain b difference by the S-Box two times. The difference b can be one of 27 − 1 values, because of the symmetry of the XOR operation and the fact that an a difference can be one of 28 − 1 differences. 4.1

The Related-Key Differential E 0 for Rounds 1 − 5

The input difference α of E 0 has a non-zero difference in bytes 0,3,4,5,9,10,14 and 15. After SR1 all non-zero byte differences are in column 0 and 1. A column with four non-zero byte differences ist transformed into a column having an a difference with fixed position after MixColumns with probability 2−32 . This occurs for two of such columns with probability 2−64 . The two a differences in bytes 0 and 4 are canceled out by the key addition AK1 . Thus each byte of the state matrix has a zero difference until AK3 creates an a difference in byte 0, which is transformed to a non-zero difference by SB4 and to four non-zero byte differences after M C4 . The state matrix has a non-zero differences in bytes 0, 1, 2, and 3. The difference which occurs after AK5 is called βout , where all bytes 1

The key difference ΔK ∗ is also used in [12].

Attacking 9 and 10 Rounds of AES-256 ∗ ΔK0

∗ ΔK1

∗ ΔK2

aa

∗ ΔK7

∗ ΔK8

cccc

d d d d b  b

∗ ΔK6

a b b b b

∗ ΔK3

∗ ΔK4

a

a

67

∗ ΔK5

aaaa

∗ ΔK9

∗ ΔK10

eeee c c

f f f f d d b  b

aa

Fig. 2. Round key differences derived from ΔK ∗  ΔK0

a

 ΔK1

 ΔK3

 ΔK2

aaa

b

 ΔK6

 ΔK7

aa

 ΔK4

 ΔK5

 ΔK9

 ΔK10

a a

b

 ΔK8

a

bbb

Fig. 3. Round key differences derived from ΔK 

α

∗∗ ∗∗ ∗∗ ∗ ∗

aa

a

AK0 ,SB1 ,SR1 ,M C1

AK1 ,...,AK3

−→

SB4 ,SR4 ,M C4 ,AK4

−→

∗ ∗ ∗ ∗

−→

SB5 ,SR5 ,M C5 ,AK5

−→

∗ ∗ ∗ ∗

βout

∗ ∗ ∗ ∗

∗ ∗ ∗ ∗

∗ ∗ ∗ ∗

Fig. 4. The related-key differential E 0

are non-zero. The probability of the differential E0 , i.e., the transformation of an α difference into a βout difference is given by P r(α → βout ) = 2−64 . The related-key differential E 0 is shown in Figure 4. 4.2

The Related-Key Differential E 1

−1

for Rounds 9 − 6

From the bottom up direction of the related-key boomerang distinguisher the −1 related-key differential E 1 is used with the round-key differences of ΔK  . Note that the used key differential ΔK  has a probability of 2−14 to occur, which increases the necessary keys for the attack. The input difference δ consists of

68

E. Fleischmann, M. Gorski, and S. Lucks

δ

∗

−1 AK9

−→

∗

γ

−1 SR−1 9 ,SB9

−→

a

−1 −1 AK8 ,...,AK6

aa

−1 −1 M C6 ,...,SB6

−→

−→

∗∗ ∗∗ ∗ ∗ ∗∗

−1

Fig. 5. The related-key differential E 1

a non-zero difference in byte 4. SB9−1 generates an a difference in byte 4 with probability 2−8 . If this occurs the text difference after SB9−1 is equal to the subkey difference ΔK8 . Hence, all bytes have a zero difference after applying AK8−1 . Passing AK6−1 the state matrix has two a differences in bytes 4 and 8. We call γ the text difference remaining after SB6−1 . This text difference has −1 eight non-zero difference in bytes 2,3,4,7,8,9,13 and 14. The probability of E 1 −1 is Pr(γ ← δ) = 2−8 . The related-key differential E 1 is shown in Figure 5. 4.3

The Related-Key Differential E 0

−1

for Rounds 6 − 1

For the following steps we need that the output difference βout of the related-key differential E 0 is equal to the input difference βin for the related-key differential −1 E 0 . Note that βin and βout are not only equal in the same positions of non-zero differences but are also equal in each byte. We will shown how to construct such a case. From the boomerang condition inside the cipher for two differences γ1 and γ2 we know that βout ⊕ γ1 ⊕ γ2 = βin holds with some probability. Since γ1 and γ2 are equal in each byte, we simply write γ. Thus the above condition reduces to : βout ⊕ γ ⊕ γ = βout = βin

(1)

Using the differentials above, the differences βin and βout are equal with probability one. Note that these difference occur only with some probability, which will be given in more detail later. Let A, A , B, B  be the internal state after SR5 when encrypting P, P  , O, O under Ka , Kb , Kc , Kd respectively. We use the same notation as in Figure 1. Since M C is linear γ can be expressed as ΔK5

   γ = Ka5 ⊕ M C5 (A) ⊕ Kc5 ⊕ M C5 (B) = Ka5 ⊕ Kc5 ⊕M C5 (A ⊕ B)

(2)

and as ΔK5

   γ = Kb5 ⊕ M C5 (A ) ⊕ Kd5 ⊕ M C5 (B  ) = Kb5 ⊕ Kd5 ⊕M C5 (A ⊕ B  ).

(3)

Equation (2) and (3) can be combined, which leaves A ⊕ A = B ⊕ B  . In other words, the M C5 operation can be undone with the probability 1 due to the

Attacking 9 and 10 Rounds of AES-256

∗ ∗ ∗ ∗

βin

∗ ∗ ∗ ∗

∗ ∗ ∗ ∗

∗ ∗ ∗ ∗

−1 −1 AK5 ,M C5

∗

−→

∗

∗

∗

−1 SR−1 5 ,SB5

−→

∗ ∗ ∗ ∗

−1 −1 AK4 ,M C4

69

∗

−→

α

−1 SR−1 4 ,SB4

a

−→

−1 −1 AK3 ,...,AK1

−→

aa

−1 −1 −1 M C1 ,SR−1 1 ,SB1 ,AK0

−→

∗∗ ∗ ∗ ∗∗ ∗∗

−1

Fig. 6. The related-key differential E 0

boomerang condition (1).To achieve that βout equals βin the differences γ1 and γ2 have to be equal. This happens with probability 2−56 since an a difference can be one of 27 − 1 values after an S-Box transformation and MixColumns is a linear operation. If this occurs we know from the boomerang condition that βout ⊕ γ1 ⊕ γ2 = βout = βin holds with some probability and M C5 can be undone with probability one. This means that we know that a non-zero byte difference occurs after M C5−1 only in the bytes 0,7,10 and 13, while the other bytes are zero. Four non-zero bytes remain after AK4−1 in column 0. With probability 2−24 M C4−1 generates a non-zero difference in byte 0 while the remaining bytes are zero. After the next S-Box operation we have an a difference with probabil−1 ity 2−8 . The further steps operate such that the output difference of E 0 has non-zero differences in bytes 1,2,6,7,8,11,12 and 13. We call this difference α. −1 The differential E 0 has the probability Pr(α ← βin ) = 2−32 and is shown in Figure 6. 4.4

The Attack

1. Choose 242.5 structures S1 , S2 , . . . , S242.5 of 264 plaintexts Pi , i ∈ {1, 2, . . . , 264 } where the bytes 0, 3, 4, 5, 9, 10, 14, 15 are fixed and the other bytes have all possible values. Ask for encryption of Pi under Ka to obtain the ciphertexts Ci , i.e., Ci = EKa (Pi ). 2. Compute 242.5 structures S1 , S2 , . . . , S2 49.5 of 264 plaintexts Pi = Pi . Ask for encryption of Pi under Kb , where Kb = Ka ⊕ ΔK ∗ to obtain the ciphertexts Ci , i.e., Ci = EKb (Pi ). 3. For each possible value of b compute ΔK˜  3.1. Compute 242.5 structures S1∗ , S2∗ , . . . , S2∗42.5 of 264 ciphertexts Di , i.e, Di = Ci ⊕ δ where δ is a fixed 128-bit value of which byte 4 non-zero while all other bytes are zero. Ask for decryption of Di under Kc = Ka ⊕ ΔK˜  to −1 obtain the plaintexts Oi , i.e., Oi = EK (Di ). c 42.5 ∗ ∗ 3.2. Compute 2 structures S1 , S2 , . . . , S2∗42.5 of 264 ciphertexts Di , i.e, Di = Ci ⊕ δ where δ is as in Step 3.1. Ask for decryption of Di under Kd = −1 Ka ⊕ ΔK ∗ ⊕ ΔK˜  to obtain the plaintexts Oi , i.e., Oi = EK (Di ). d    3.3. Store only those quartets (Pi , Pj , Oi , Oj ) where Oi ⊕ Oj have a zero byte differences in bytes 0, 3, 4, 5, 9, 10, 14 and 15.

70

E. Fleischmann, M. Gorski, and S. Lucks

3.4. Guess an 8-bit subkey k¯a9 of Ka9 in the positions of byte 4 and compute k¯b9 , k¯c9 , k¯d9 respectively. 3.4.1. Partially decrypt each quartet (Ci , Cj , Di , Dj ) remaining after Step 3.3 under k¯a9 , k¯b9 , k¯c9 , k¯d9 respectively. 3.4.2. Check if dk¯a9 (Ci ) ⊕ dk¯c9 (Di ) and dk¯b9 (Ci ) ⊕ dk¯d9 (Di ) have an adifference after SB9−1 in byte 4. Record (k¯a9 ) and all the qualified quartets and then go to Step 3.5.  3.5. Guess a 32-bit subkey ka0 of Ka0 in the positions of bytes 0,5,10,15 and     compute kb0 = kc0 = kd0 = ka0 (ΔK0∗ and ΔK0 are zero in these four bytes) 3.5.1. Partially encrypt each quartet (Pi , Pj , Oi , Oj ) remaining after Step 3.4.2     under ka0 , kb0 , kc0 , kd0 respectively.    (Pi )⊕ek (P ) and ek (Oi )⊕ek (O ) have an a difference 3.5.2. Check if eka0 j j c0 b0 d0  in byte 0 after M C1 . Record (k¯a9 , ka0 ) and all the qualified quartets and then go to Step 3.6. ∗ 3.6. Guess a 32-bit subkey ka0 of Ka0 in the positions of bytes 3,4,9,14 and ∗ ∗ ∗ ∗ compute kb0 = ka0 , compute kc0 = ka0 ⊕ M1 , with the 32-bit value M1 = ∗ ∗ (a, 0, 0, 0) and compute kd0 = kb0 ⊕ M1 . 3.6.1. Partially encrypt each quartet (Pi , Pj , Oi , Oj ) remaining after Step 3.5.2 ∗ ∗ ∗ ∗ under ka0 , kb0 , kc0 , kd0 respectively.   ∗ (Pi )⊕ek∗ (P ) and ek∗ (Oi )⊕ek∗ (O ) have an a difference 3.6.2. Check if eka0 j j c0 b0 d0 in byte 4 after M C1 . If there exist more than 2 boomerang quartets  ∗ passing this test, record (k¯a9 , ka0 , ka0 ) and all the qualified quartets and then go to Step 4. Otherwise, repeat Step 3.6 with another guessed key. If all the possible keys are tested, then repeat Step 3.5 with another guessed key. If all the possible keys are tested, then repeat Step 3.4 with another guessed key.  ∗ 4. For a suggested (k¯a9 , ka0 , ka0 ), do an exhaustive search for the remaining 184 cipher key bits using trial encryption. If a 256-bit cipher key is suggested, output it as the cipher key. Otherwise, go to Step 3 with another guess of b. 4.5

Analysis of the Attack

(264 )2 A pool of 264 plaintexts can be combined to 2 = 2127 quartets. Each quartet of structures Si , Si , Si∗ , S ∗ , i ∈ {1, 2, . . . , 242.5 } can be analyzed separately. The data complexity of Step 1, 2, 3.1 and 3.2 is 22 · 264 = 266 chosen plaintexts, while the time complexity is about 264 encryptions for Step 1 and 2 and about 27.5 · 27 · 264 = 278.5 for Step 3.1 and 3.2, since Step 3 runs at most 27 times and we expect that we need to run the attack with about 27.5 different cipher keys. The data complexity of Step 3.3 is 22 · 264 = 266 plaintexts, since we have a 64-bit filtering condition which leaves 2127 · 2−64 = 263 quartets stored in this step. Step 3.4.1 takes about 27.5 · (1/9) · (1/16) · 27 · 28 · 22 · 263 = 280.33 nine round encryptions. The number of remaining quartets after Step 3.4.2 are 263 ·2−14 = 249 , since we have a 7-bit filtering on both pairs of a quartet. The time complexity of Step 3.5.1 is about 27.5 · (1/9) · (4/16) · 27 · 232 · 28 · 22 · 249 = 2100.33 nine round encryptions. Due to the 32-bit filtering on both pairs we obtain about

Attacking 9 and 10 Rounds of AES-256

71

249 · 2−64 = 2−15 quartets after Step 3.5.2. The time complexity of Step 3.6.1 is negligible, while about 2−15 · 2−64 = 2−79 quartets remain after this step. Using 242.5 structures we obtain #P P ≈ 242.5 · 2127 = 2169.5 quartets in total. A correct related-key boomerang quartet occurs with probability P rc = Pr(α → βout ) · (Pr(γ ← δ))2 · Pr(βout = βin ) · Pr(α ← βin ) = 2−64 · (2−8 )2 · 2−56 · 2−32 = 2−168 , since all related-key differential conditions are fulfilled. About 242.5 ·2−79 = 2−36.5 false related-key boomerang quartets remain Step 3.6.2 and are counted with the false key bits. Using the Poisson distribution we can compute the success rate of our attack. The probability that the number of remaining quartets for each false key bit combination is larger than 1 is Y ∼ Poisson(μ = 2−36.5 ), Pr(Y ≥ 2) ≈ 0. Therefore the probability that our attack outputs false key bits as the correct one is very low. We expect to have a count of 3 quartets for the correct key bits. The probability that the number of quartets counted for the correct key bits is larger than 1 is Z ∼ Poisson(μ = 3), Pr(Z ≥ 2) ≈ 0.8. The data complexity is about 267 = 23 · 264 adaptive chosen plaintexts and ciphertexts and the time complexity is about 2142.83 = 242.5 · 2100.33 9-round AES-256 encryptions.

5

Related-Key Boomerang Attack on 10-Round AES-256

The related-key boomerang attack can easily be extended to a 10-round attack, by guessing 32 bits of K10 at the bytes 1,4,11 and 14. Since we use related keys ∗  we have to take the key differences ΔK10 and ΔK10 into account. Therefore we ∗ have to guess 8 bits for the unknown values of f in ΔK10 . The moreover, we change the order of M C9 and AK9 , which allows us to mount the 9-round attack inside the 10-round attack. The data complexity of this 10-round attack on AES256 remains at 267 chosen plaintexts and ciphertexts and the time complexity increases to 232 · 28 · (9/10) · 2142.83 = 2182.67 10-round AES-256 encryptions.

6

Conclusion

This paper proposes a new attack on 9 and 10-round AES-256. These are the first attacks using a related-key differential with probability below one. Our 9 and 10round attacks on AES-256 have the lowest data complexity compared to existing attacks and use about 267 chosen plaintexts and ciphertexts. Nevertheless, the attacks presented in this paper find only some weaknesses for round reduced versions of the AES-256, while the full version of the AES-256 remains unbroken.

Acknowledgements The authors would like to thank Orr Dunkelman and the anonymous reviewers for many helpful comments.

72

E. Fleischmann, M. Gorski, and S. Lucks

References [1] Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology 7(4), 229–246 (1994) [2] Biham, E., Dunkelman, O., Keller, N.: Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005) [3] Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. J. Cryptology 4(1), 3–72 (1991) [4] Biryukov, A.: The Boomerang Attack on 5 and 6-Round Reduced AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 11–15. Springer, Heidelberg (2005) [5] Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002) [6] Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved Cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001) [7] Gorski, M., Lucks, S.: New Related-Key Boomerang Attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 266–278. Springer, Heidelberg (2008) [8] Hawkes, P.: Differential-Linear Weak Key Classes of IDEA. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 112–126. Springer, Heidelberg (1998) [9] Hong, S., Kim, J., Lee, S., Preneel, B.: Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 368–383. Springer, Heidelberg (2005) [10] Jakimoski, G., Desmedt, Y.: Related-Key Differential Cryptanalysis of 192-bit Key AES Variants. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004) [11] Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of 3-WAY, BihamDES, CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997) [12] Kim, J., Hong, S., Preneel, B.: Related-Key Rectangle Attacks on Reduced AES192 and AES-256. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 225–241. Springer, Heidelberg (2007) [13] Kim, J., Kim, G., Hong, S., Lee, S., Hong, D.: The Related-Key Rectangle Attack - Application to SHACAL-1. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 123–136. Springer, Heidelberg (2004) [14] Knudsen, L.R.: Cryptanalysis of LOKI91. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993) [15] Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure Jiali Choy, Guanhan Chew, Khoongming Khoo, and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 {cjiali,cguanhan,kkhoongm,yhuihui}@dso.org.sg

Abstract. In this paper, we study GF-NLFSR, a Generalized Unbalanced Feistel Network (GUFN) which can be considered as an extension of the outer function F O of the KASUMI block cipher. We prove upper bounds for the differential and linear hull probabilities for any n + 1 rounds of an n-cell GF-NLFSR. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. We also demonstrate a (2n − 1)-round impossible differential distinguisher and a (3n − 1)-round integral attack distinguisher on the n-cell GFNLFSR. As an application, we design a new block cipher Four-Cell based on a 4-cell GF-NLFSR. We prove the security of Four-Cell against differential, linear, and boomerang attack. Based on the 7-round impossible differential and 11-round integral attack distinguisher, we set the number of rounds of Four-Cell to be 25 for protection against these attacks. Furthermore, Four-Cell can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack. Keywords: Block Ciphers, Generalized Unbalanced Feistel Network, Differential Probability, Linear Hull Probability.

1

Introduction

In this paper, we examine a family of block ciphers whose structure is modelled after that of a Generalized Unbalanced Feistel Network (GUFN). The GUFN was first suggested by Schneier et al. in [20]. Similar to conventional Feistel networks, unbalanced ones comprise of a concatenation of rounds. In each round, one part of the block controls the encryption of another part of the block. However, the two parts need not be of equal sizes. The particular GUFN we shall be analyzing is an n-cell extension of the outer function F O of the KASUMI block cipher [24], which is a 2-cell structure. Besides being a GUFN, our structure can also be viewed as an n-cell NonLinear Feedback Shift Register (NLFSR). Thus, we call our structure a Generalized C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 73–89, 2009. c Springer-Verlag Berlin Heidelberg 2009 

74

J. Choy et al.

Feistel-NonLinear Feedback Shift Register (GF-NLFSR). In Section 3, we shall give a detailed description of the GF-NLFSR. Many GUFN-based block ciphers have been constructed; some examples include the ciphers SMS4 [13] and CLEFIA [21]. While the true differential and linear hull probabilities of these ciphers are not known in the open literature, they have been calculated for other GUFN-like constructions. In [24], these were derived for KASUMI’s F O function, which is equivalent to a 2-cell GUFN. Similar analyses have been done in [25] for another GUFN-like round function, and also in [15]. To the best of our knowledge, bounds for the true differential and linear hull probabilities have not been proven for GUFN-based ciphers with n input cells. Analysis of true differentials and linear hulls is required in assessing vulnerability to attacks such as boomerang attack. In light of this, the study in our paper is both novel and useful. In Sections 4 and 5, we prove that the true differential and linear hull probability of any n + 1 rounds of the n-cell GF-NLFSR is bounded by p2 where p is the maximal probability of the nonlinear function. In Section 6, we investigate the frequency distribution of the differential and linear hull probability of any n + 1 rounds based on different input-output differentials/linear masks. From the frequency distribution, we see that the maximal probability p2 only holds for a very tiny portion of all differentials/linear hulls. There are also other differentials/linear hulls having probability bounds p3 , p4 , . . . , pn , but we prove that almost all differentials/linear hulls have probability bound pn . Furthermore, we compute the expected differential/linear hull probability bound and find this value to be close to (2−B + p)n where B is the size of each cell in GF-NLFSR. These differential and linear hull probability bounds are achieved when the input differences and mask values are randomly chosen, which is likely when n + 1 rounds of the n-cell GF-NLFSR is prepended and appended by additional cipher structures. In this case, the security of n + 1 rounds of n-cell GF-NLFSR, in the sense of differential and linear hull probability bounds, is therefore much better than is typically believed. This motivates our study of the expected bounds in the Section 6. Other than differential and linear cryptanalysis, in Sections 7 and 8, we also consider the security of GF-NLFSR against impossible differential and integral cryptanalysis. For the former this is done by finding impossible differential characteristics which play the role of a sieve, methodically rejecting the wrong key guesses and leaving the correct key. For GF-NLFSR, the maximum number of rounds for impossible differential characteristics was found to be 2n − 1. On the other hand, in an integral attack, the attacker looks at larger carefully chosen sets of encryptions, in which parts of the input text form a multiset. We studied the propagation of multisets through the cipher and unveiled a (3n − 1)-round distinguisher for GF-NLSR. As an application of our results on GF-NLFSR, we design a GUFN-based block cipher Four-Cell in Section 9. It is a 128-bit block cipher based on a 4-cell GF-NLFSR where each cell is 32-bit long. Besides proving practical security against differential and linear cryptanalysis, we are able to bound its true

Cryptographic Properties and Application of a GUFN Structure

75

differential probability by 2−55.39 and linear hull probability by 2−52.96 . Moreover, we show that with 99.9999% frequency, the differential and linear hull probability bounds are much lower at 2−110.78 and 2−105.91 respectively. These facts also allow us to prove its security against boomerang attack. Based on the results in Sections 7 and 8, we can deduce a 7-round impossible differential and an 11-round integral attack distinguisher on Four-Cell. To protect against these attacks, we set the number of rounds of Four-Cell to be 25. Furthermore, we explain why Four-Cell is secure against other cryptanalysis like higher-order differential attack, cube attack, interpolation attack, XSL attack and slide attack. Like the AES cipher, our Four-Cell block cipher can be proven secure against known block cipher attacks. In principle, it can use the same S-box (SubBytes) and MDS transform (MixColumn) as AES. However, it is more efficient (in hardware) in the sense that it uses less MDS transforms (25 compared to 40) than AES while keeping the number of S-boxes unchanged. Another advantage of the n-cell GF-NLFSR structure is that the nonlinear function in any n rounds can be computed in parallel. Therefore, any four rounds of the nonlinear transforms in our block cipher Four-Cell can be computed in parallel. This is not true for a general GUFN-based block cipher like SMS4 [13].

2

Definitions and Preliminaries

In this paper, we shall study the GF-NLFSR which can be considered as a particular instantiation of the Generalized Unbalanced Feistel Network defined in [20]. In what follows, the “+” symbol is used to denote finite field addition (XOR) over GF (2)n or ordinary addition, depending on the operands and context. 2.1

Differential Cryptanalysis

As is widely known, differential cryptanalysis [1] is a chosen-plaintext attack in which statistical key information is deduced from ciphertext blocks obtained by encrypting pairs of plaintext blocks with a specific bitwise difference under the target key. It studies the propagation of input differences to output differences in iterated transformations. Let f : GF (2)m → GF (2)m be a Boolean mapping composed of a number of rounds. The concept of characteristic was introduced: a sequence of difference patterns such that the output difference from one round corresponds to the input difference in the next round. On the other hand, in [10,11], the conf

cept of a differential, denoted by α −→ β, was presented, where the XORs in the inputs and outputs of the intermediate rounds are not fixed. We denote f DP (α −→ β) = P r(f (x) + f (x + α) = β), where α, β are fixed input and output differences. Differential cryptanalysis exploits differential characteristics with high probability. However, even if the maximal differential characteristic probability is low, one cannot conclude that the cipher is secure against differential attack. Instead, one must show that the maximal differential probability of all differentials is low

76

J. Choy et al.

enough [11]. This property ensures provable security against differential cryptanalysis as opposed to practical security which simply considers the maximal differential characteristic probability. Proposition 1. [11] A block cipher with block length m is resistant against conventional differential attacks under an independent subkey assumption, if there does not exist any differential α −→ β, α  = 0, ranging over all but a few rounds, such that DP (α −→ β)  2−m . For key-dependent functions, we consider the average resistance against differential cryptanalysis, i.e. the average differential probability taken over the entire key set. More formally, let F : GF (2)m × K → GF (2)m be a key-dependent function. Denote fk = F (x, k) for each fixed k ∈ K. Let α, β ∈ GF (2)m be F constants. The differential probability of the differential α −→ β is defined as  fk F 1 DP (α −→ β) = |K| k∈K DP (α −→ β). The maximal differential probability F

of F is defined as DP (Fmax ) = max DP (α −→ β). α =0,β

2.2

Linear Cryptanalysis

Linear cryptanalysis [14] is a known-plaintext attack that tries to utilize high probability occurrences of linear expressions involving plaintext bits, ciphertext bits, and subkey bits. As with the differential case, we must also distinguish between a linear characteristic and a linear hull. A linear characteristic over f consists of a sequence of mask values such that the output mask values from one round corresponds to the input mask values to the next round. On the other hand, a f linear hull, denoted by u ←− w, is the set of all linear characteristics with f the same initial and terminal mask values. We denote LP (u ←− w) = [2 · P r(u · f (x) = w · x) − 1]2 , where w, u are fixed input and output mask values. Linear cryptanalysis takes advantage of linear characteristics with high correlation probability to recover key bits. However, in the evaluation of the strength of a block cipher against linear cryptanalysis, one must consider the linear hulls instead. Having low linear hull probability for all linear hulls will guarantee provable security against linear attacks [17]. Proposition 2. [17] A block cipher with block length m is resistant against conventional linear cryptanalysis under an independent subkey assumption, if there does not exist any linear hull u ←− w, u  = 0, ranging over all but a few rounds, such that LP (u ←− w)  2−m . For key-dependent functions, we consider the average resistance against linear cryptanalysis. Explicitly, let F : GF (2)m × K → GF (2)m be a key-dependent function. Denote fk (x) = F (x, k) for each fixed k ∈ K. Let u, w ∈ GF (2)m be F

constants. The linear hull probability of the linear hull u ←− w is defined as

Cryptographic Properties and Application of a GUFN Structure F

LP (u ←− w) =

1 |K|

 k∈K

77

fk

LP (u ←− w). The maximal linear hull probability of F

F is defined as LP (Fmax ) = max LP (u ←− w). w,u =0

It was proven in [11] and [17] the following result about differential and linear hull probabilities of compositions of key-dependent mappings. Fact 1. [11,17] Let F : GF (2)m ×GF (2)m ×K1 and G : GF (2)m ×GF (2)m ×K2 be key-dependent functions of the type F (x, k, k  ) = f (x + k, k  ), G(x, k, k  ) = g(x + k, k  ), where f : GF (2)m × K1 → GF (2)m and g : GF (2)m × K2 → G◦F GF (2)m are bijective for all fixed k1 ∈ K1 , k2 ∈ K2 . Then DP (α −→ β) =   f g g G◦F ξ∈GF (2)m DP (α −→ ξ)DP (ξ −→ β) and LP (u ←− w)= v∈GF (2)m LP (u ←− f

v)LP (v ←− w). In Sections 4 and 5, we shall be demonstrating provable security of our design structure against differential and linear cryptanalysis by studying its differential and linear hull probabilities. Fact 1 will be required in the proofs of our results later.

3

Description of the Structure

In this section, we will give a description of our design structure, which we call GF-NLFSR. It is essentially a generalization of the outer function, F O, of the KASUMI cipher. The F O function was first suggested by Matsui in [15, Figure 7] as one of the new structures of block ciphers with provable security against differential and linear cryptanalysis. It was then adopted in the design of KASUMI [24]. The following result was proven in the same paper regarding the maximal differential and linear hull probabilities of this function. Fact 2. [24, Theorem 2] Let F be the 3-round function shown in Figure 1 of [24] (i.e. a 2-cell GF-NLFSR) where each Fi : GF (2)B × GF (2)B × Ki → GF (2)B is of the form Fi (x, ki , ki ) = fi (x + ki , ki ) and each fi : GF (2)B × Ki → GF (2)B is bijective for all fixed ki ∈ Ki , where Ki is the key space for ki . (1) If DP ((fi )max ) ≤ p for each i, then DP (Fmax ) ≤ p2 . (2) If LP ((fi )max ) ≤ q for each i, then LP (Fmax ) ≤ q 2 . This function splits the input block into 2 sub-blocks of equal size. Our block cipher structure generalizes this by splitting the input block into n sub-blocks of equal size. Figure 1 below displays one round of GF-NLFSR. Explicitly, suppose we have a m-bit block cipher, i.e. the input and output blocks are both of size m = nB bits. Let the internal state by denoted by S = (S1 , S2 , . . . , Sn ) where Si ∈ GF (2)B . Therefore the internal state consists of n sub-blocks of B bits each. The round keys of the cipher shall be denoted by ki , ki (i = 1, . . . , n + 1). Each Fi function is of the form Fi : GF (2)B × GF (2)B × Ki → GF (2)B Fi (x, ki , ki ) = fi (x + ki , ki ) where each fi : GF (2)B × Ki → GF (2)B is bijective for all fixed ki ∈ Ki .

78

J. Choy et al.

Fig. 1. One round of n-cell GF-NLFSR

The round function R that maps Si to Si+1 under the round keys ki , ki is: R : GF (2)m × GF (2)B × Ki → GF (2)m ((S1 , S2 , . . . , Sn ), ki , ki ) → (S2 , S3 , . . . , Sn , Fi (S1 , ki , ki ) + S2 + S3 + . . . + Sn )

4

Differential Probability

In this section, we present a result for the differential probability of an n-block GF-NLFSR over n + 1 rounds which is similar to Fact 2. Theorem 1. Let F be the (n+1)-round function in Figure 2 (left) of Appendix B where each Fi : GF (2)B × GF (2)B × Ki → GF (2)B is of the form Fi (x, ki , ki ) = fi (x + ki , ki ) and each fi : GF (2)B × Ki → GF (2)B is bijective for all fixed ki ∈ Ki . If DP ((fi )max ) ≤ p for each i, then DP (Fmax ) ≤ p2 . Proof. Let the input difference of F be α = (α1 , . . . , αn )  = 0 and the output difference be β = (β1 , . . . , βn )  = 0, where αi , βi ∈ GF (2)B for i = 1, 2, . . . , n. Also let the output difference of F1 be . In general, the input-output differences for all Fi ’s in the n-cell GF-NLFSR can be summarized as follows: F

1 α1 −→ 

F

2 α2 −→  + α2

F3

α3 −→  + α2 + α3 .. .. . .

+β1 +β1 + β2 .. .

F

n αn −→  + α2 + α3 + . . . + αn +β1 + β2 + . . . + βn−1

Fn+1

 + α2 + α3 + . . . + αn −→

β1 + β2 + . . . + βn−1 + βn (1)

Cryptographic Properties and Application of a GUFN Structure

79

From Fact 1, we have the following: F

DP (α −→ β) =  F1 F2 DP (α1 −→ )DP (α2 −→  + α2 + β1 ) ∈GF (2)B F3 DP (α3 −→

Fn+1

 + α2 + α3 + β1 + β2 ) . . . DP (+α2 + . . . + αn −→ β1 + . . . + βn ). (2) We shall show that at least 2 input differences in Equation 2 are non-zero F when α  = 0. This implies that DP (α −→ β) ≤ p2 . It suffices to prove this fact for the cases where only one of α1 , α2 , . . . , αn is non-zero. F

1 (1) Suppose that only α1  = 0, then   = 0 (otherwise, DP (α1 −→  = 0)). Therefore, the input difference of Fn+1 , i.e.  + α2 + . . . + αn = , is non-zero. (2) Suppose that only α2  = 0, then the input difference of Fn+1 , i.e.  + α2 + . . . + αn = α2 , is non-zero.

.. . (n) Suppose that only αn  = 0, then the input difference of Fn+1 , i.e.  + α2 + . . . + αn = αn , is non-zero. F Therefore, at least 2 of the input differences are non-zero and DP (α −→ β) ≤ p2 .



5

Linear Hull Probability

We also have a result similar to Fact 2 for the linear hull probability of GFNLFSR over n + 1 rounds where the internal state is split into n equally sized blocks. Theorem 2. Let F be the (n+1)-round function in Figure 2 (right) of Appendix B where each Fi : GF (2)B ×GF (2)B ×Ki → GF (2)B is of the form Fi (x, ki , ki ) = fi (x + ki , ki ) and each fi : GF (2)B × Ki → GF (2)B is bijective for all fixed ki ∈ Ki . If LP ((fi )max ) ≤ q for each i, then LP (Fmax ) ≤ q 2 . Proof. Let the output mask value of F be u = (u1 , . . . , un )  = 0 and the input mask value be w = (w1 , . . . , wn )  = 0. If the output mask value of F1 is , it can be easily derived that we have the following individual round approximations: F

1 ←−



F

2 ←− 

u1 + u2

F3

←− 

u2 + u3 .. .

w1 + w2 + w3

+ u1 + u2 .. .

F

n un−1 + un ←− 

Fn+1

un ←− 

.. . + wn + u1 + u1

+ un−1 + un

80

J. Choy et al.

Then Fact 1 gives F

LP (u ←− w) =  F1 F2 F3 LP ( ←− w1 )LP (u1 + u2 ←−  + w2 )LP (u2 + u3 ←−  + w3 + u1 + u2 ) . . . ∈GF (2)B Fn+1

F

n LP (un−1 + un ←− +wn + u1 + un−1 )LP (un ←−  + u1 + un ). (3)

We shall show that at least 2 output mask values in Equation 3 are non-zero F when u, w  = 0. This will then imply that LP (u ←− w) ≤ q 2 . If all the output mask values are equal to 0, i.e.  = u1 + u2 = u2 + u3 = . . . = un−1 + un = un = 0, then

u1 = u2 = . . . = un = 0 ⇒u=0

which gives a contradiction. Therefore, at least 1 output mask value is non-zero. Now we show that if only one of them is non-zero, then we will arrive at a contradiction. (1) Suppose that only   = 0. Then u1 = u2 = . . . = un = 0 which is a contradiction since u  = 0. (2) Suppose that only u1 + u2  = 0. Note that if  = 0, then w1 = 0; otherwise, F

F

1 1 LP ( ←− w1 ) = 0. If w1 = 0, then for other non-zero values of , LP ( ←− w1 ) = 0.  = u2 + u3 = u3 + u4 = . . . = un−1 + un = un = 0

F

⇒  + u1 + un = u1 = 0 (otherwise, LP (u ←− w) = 0) and u2 = u3 = . . . = un = 0 ⇒u=0 which gives a contradiction. (3) Suppose that only u2 + u3  = 0. Then  = u1 + u2 = u3 + u4 = . . . = un−1 + un = un = 0 F

⇒  + u1 + un = u1 = 0 (otherwise, LP (u ←− w) = 0) ⇒ u2 = u1 = 0 and u3 = u4 = . . . = un = 0 ⇒u=0 which gives a contradiction.

.. .

(n) Suppose that only un−1 + un  = 0. Then  = u1 + u2 = u2 + u3 = . . . = un−2 + un−1 = un = 0 F

⇒  + u1 + un = u1 = 0 (otherwise, LP (u ←− w) = 0) ⇒ u1 = u2 = . . . = un−1 = 0 and un = 0 ⇒u=0 which gives a contradiction.

Cryptographic Properties and Application of a GUFN Structure

81

(n + 1) Suppose that only un  = 0. Then  = u1 + u2 = u2 + u3 = . . . = un−1 + un = 0 ⇒ u1 = u2 = . . . = un−1 = un ⇒ w1 = 0,  + w2 = w2 = 0,  + w3 + u1 + u2 = w3 = 0, . . . , F

 + wn + u1 + un−1 = wn = 0 (otherwise, LP (u ←− w) = 0) ⇒w=0 which gives a contradiction. F Therefore, at least 2 of the output mask values must be non-zero and LP (u ←− 2 w) ≤ q .



6

Frequencies of Differential and Linear Hull Probabilities and Expected Value

Here we calculate the approximate number of input-output differences (α −→ β) F F or mask values (u ←− w) with DP (α −→ β) ≤ px or LP (u ←− w) ≤ q x respectively (x = 2, . . . , n). With reference to the sequence of differences and mask values stated in Sections 4 and 5, let Δ = {α1 , α2 , . . . , αn } and Ω = {u1 + u2 , u2 + u3 , . . . , un−1 + un , un }. Define Nd (x) (respectively Nl (x)) as the number of input-output differences (α, β) (respectively input-output masks (w, u)) when there are x non-zero entries in Δ (respectively Ω). From the structure of n-cell, having x non-zero entries F F in Δ or Ω will ensure DP (α −→ β) ≤ px or LP (u ←− w) ≤ q x respectively. F The only exception is when x = 1, where we still have DP (α −→ β) ≤ p2 or F LP (u ←− w) ≤ q 2 by Theorems 1 and 2. Various cases for the input-output pairs and their corresponding bounds are shown in Table 1 in Appendix A. When there are x non-zero entries n inBΔ, the number of possible input-output differences is given by N (x) = d x (2 −   1)x (2nB − 1). This is because there are nx possible input differences with x non-zero entries where each non-zero entry has 2B − 1 possibilities, and there are 2nB − 1 possibilities for the non-zero output difference. We have an identical formula for Nl (x) by a similar reason. Based on the values Nd (x) and Nl (x), we see that when an attacker uses plaintexts such that the input differences α (output mask values u resp.) are randomly chosen, he is more likely to obtain a bound much lower than p2 (q 2 resp.) since most of the input differences α (output mask values u resp.) give rise F F to differential probabilities DP (α −→ β) (linear hull probabilities LP (u ←− w) 2 2 resp.) whose bounds are much smaller than p (q resp.). Such a scenario may occur when, for example, the (n+1)-round structure is an intermediate portion of a cipher so that the attacker does not have much control over the input differences (output mask values resp.). This motivates our desire to have more practically useful differential and linear hull probability bounds. For this purpose, we make the following definitions:

82

J. Choy et al.

Definition 1. The expected differential probability is defined as Ed 

=

F

DP (α−→β) #{(α,β)|α,β =0}  F w,u=0 LP (u←−w) #{(w,u)|w,u =0} α,β=0

and the expected linear probability is defined as El =

 Note that nx=2 Nd (x) = (2nB − 1)2 which is the total number of differences with both input and output non-zero. We may make a similar observation for the linear case. From this table, we may directly calculate the proportion of input-output differences (mask values resp.) with differential (linear hull resp.) probability ≤ px (q x resp.). Denote the approximate proportion of input-output Nd (x) differences with differential probability ≤ px by Pd (x) = #{(α,β)|α,β =0} . Likewise, denote the approximate proportion of input-output mask values with linear Nl (x) hull probability ≤ q x by Pl (x) = #{(w,u)|w,u =0} . It can be computed that the statistics are heavily skewed towards the lowest probabilities instead of p2 or q 2 . For example, when n = 4, B = 8, and when n = 4, B = 16, we have the following proportions shown in Table 2 in Appendix A. Using the frequency values in Table 1, we can derive that     n  1 n n B nB 2 B x nB x Ed ≤ nB (2 − 1) · (2 − 1)p + (2 − 1) · (2 − 1)p (2 − 1)2 1 x x=2     n  1 n n < nB (2B − 1)p + (2B − 1)x px (2 − 1) 1 x x=2  n    1 n B x x < nB (2 − 1) p (2 − 1) x=0 x =

1 (1 + (2B − 1)p)n (2nB − 1)

≈ (2−B + p)n ,

(4)

where we have approximated 2B − 1 and 2nB − 1 by 2B and 2nB respectively because B is usually much larger than 1. Similarly, we have El ≤ (2−B + q)n . For example, when n = 4, B = 8 and p = 2−6 , the bound in (4) is approximately 2−22.7 , which is much better than the 2−12 bound obtained from Theorem 1.

7

Impossible Differential Characteristics

Impossible differential cryptanalysis is a variant of differential cryptanalysis against block ciphers. It was applied against Skipjack to reject wrong key candidates by using input and output difference pairs whose probabilities are zero. It can also be used to attack a 5-round Feistel structure even though the 3round Feistel structure with bijective round functions are provably secure against differential and linear cryptanalysis.

Cryptographic Properties and Application of a GUFN Structure

83

In impossible differential cryptanalysis, impossible differential characteristics are used to retrieve a subkey material for the first or last several rounds of block ciphers. Thus the security of a block cipher against impossible differential cryptanalysis can be evaluated by impossible differential characteristics [26]. A general tool, called U -method, was introduced by [26] to find the maximum number of rounds for impossible differential characteristics. An algorithm, Algorithm 1, was also provided to compute the maximum length of impossible differential characteristics that can be found by the U -method. Interested readers may refer to [26] for the technicalities. By modifying Algorithm 1, we can determine the impossible differential characteristics of the block cipher structures. The following result for our block cipher n-cell GF-NLFSR is based on the simulation. Here, a r-round impossible differential characteristic is denoted by α r β where α = (α1 , α2 , · · · , αn ) and β = (β1 , β2 , · · · , βn ). Proposition 3. The maximum number of rounds for impossible differential characteristics that can be found by the U -method for n-cell GF-NLFSR is 2n − 1. Generalized impossible differential characteristics are (0, · · · , 0, αn ) 2n−1 (β1 , β2 , 0, · · · , 0), where αn  = 0, β1 = β2  = 0, and, (0, · · · , 0, αn ) 2n−1 (β1 , 0, · · · , 0, βn ), where αn  = 0, β1 = βn  = 0. In particular, when n = 4, a 7-round impossible differential characteristic is (0, 0, 0, γ) 7 (γ, γ, 0, 0), with the input and output differences to and after each round as follows: (0, 0, 0, γ) → (0, 0, γ, γ) → (0, γ, γ, 0) → (γ, γ, 0, 0) → (γ, 0, 0, γ + δ) → (0, 0, γ + δ, ?) → (0, γ + δ, ?, ?) = (0, γ, γ, 0) ← (γ, γ, 0, 0),

where γ, δ and ? denote nonzero nonfixed, nonzero fixed, and, nonfixed differences respectively. We can thus use a 7-round impossible differential to conduct an impossible differential attack.

8

Integral Attack

The integral attack is a cryptanalytic technique on block ciphers. It was originally proposed by Knudsen and Wagner in 2002 [9] and has since been adapted to cryptanalyse various ciphers. In this attack, a set of chosen plaintexts is encrypted and the corresponding ciphertexts are decrypted a certain number of rounds using all possible subkey guesses. The plaintext set is chosen such that one part is held constant while another part varies over all possibilities. Using this plaintext set, a distinguisher is produced after a certain number of rounds, which enables the attacker to determine the correct subkey which was used for partial decryption. We shall show that for n ≥ 2, GUFN has a (3n − 1)-round distinguisher, where n is the number of blocks.

84

J. Choy et al.

In this section, we let the n-tuple (A, c, . . . , c) denote a set of 2B plaintexts where the leftmost block of B bits vary over all 2B possibilities, while the other blocks, represented by c, are constants. We shall let uppercase letters represent a set that varies over all values in GF (2)B . Thus, we obtain the set (c, c, . . . , c, D + c) after a round of encryption. Consequently, we have the following sequence of round-by-round output sets after n rounds: (A, c, . . . , c) → (c, c, . . . , c, D + c) .. . → (c, D + c, D + c, c, . . . , c) → (D + c, D + c, c, c, . . . , c). After another n rounds we have the following: (D + c, D + c, c, . . . , c) → (D + c, c, . . . , c, D + E + c) → (c, . . . , c, D + E + c, D + E + G + c) → (c, . . . , c, D + E + c, D + E + G + c, G + c) → (c, . . . , c, D + E + c, D + E + G + c, G + c, c) .. . → (D + E + c, D + E + G + c, G + c, c, . . . , c). The distinguishing property of certain values in the set is subsequently destroyed block by block. We obtain this, after another n − 1 rounds: (D + E + c, D + E + G + c, G + c, c, . . . , c) → (D + E + G + c, G + c, c, . . . , c, ?) .. . → (c, ?, ?, . . . , ?). The set of ciphertexts after 3n− 1 rounds of encryption will be constant in the leftmost block. This property can be exploited as a distinguisher if the cipher has only slightly more than 3n − 1 rounds. Although some minor detail of the above proof does not apply for the cases n = 2 and n = 3, it can be easily verified, using a similar approach, that the (3n − 1)-round result still holds for these values of n.

9

Application: New Block Cipher Four-Cell

As an application, we design a new 128-bit block cipher, Four-Cell, with 128bit key size. It uses the block cipher structure described in Section 3 with four cells where each cell is a 32-bit word. The block cipher has 25 rounds and uses two types of nonlinear functions for round i, defined as follows:

Cryptographic Properties and Application of a GUFN Structure

85

fi (xi , ki , 0) = M DS(S(xi +ki )), for rounds i = 1, 2, . . . , 5 and i = 21, 22, . . . , 25. fi (xi , ki , ki ) = S(M DS(S(xi + ki )) + ki ), for rounds i = 6, 7, . . . , 20. Here, S : GF (28 )4 → GF (28 )4 is defined as S(x1 , x2 , x3 , x4 ) = (Inv(x1 ), Inv(x2 ), Inv(x3 ), Inv(x4 )), where Inv : GF (28 ) → GF (28 ) is affine equivalent to x → x254 on GF (28 ) (e.g., the AES S-box). M DS : GF (28 )4 → GF (28 )4 is a 4-byte to 4-byte maximal distance separable transform with optimal branch number 5 (e.g., the MixColumn operation in AES). Note that one subkey and one layer of S-box is used for rounds 1, 2, . . . , 5 and 21, 22, . . . , 25 while two subkeys and two layers of S-boxes are used for rounds 6, 7, . . . , 20. Moreover, we XOR a 128-bit post-whitening key K26 to the output after 25 rounds. We leave the implementation of a secure key schedule open to the reader. One possibility would be to use a similar cipher with 26 rounds as the key schedule. The only difference is that the nonlinear function for all rounds is defined as fi (xi , ci , 0) = M DS(S(xi + ci )) where the ci ’s are distinct randomly generated constants. The input to the key-schedule is the secret key K. The least significant 32 output bits (i.e., nonlinear output) of round i of the key schedule can be used as the ith -round cipher subkey ki . For rounds i = 6, 7, . . . , 20, we can take the next 32 least significant output bits of round i of the key schedule to be ki . The post-whitening key K26 is the 128-bit output of round 26 of the key schedule. In the following section, we demonstrate the security of Four-Cell against a slew of cryptanalytic attacks, in addition to differential and linear cryptanalysis. 9.1

Security of Four-Cell

Based on the cryptographic properties of the inversion S-box and MDS transform, it is easy to see that the differential and linear characteristic probabilities of Four-Cell are at most 2−192 < 2−128 . Therefore it is practically secure against differential and linear cryptanalysis. By combining the results of Sections 4 and 5 with the differential and linear probability of a SPN structure [19], we can show that the true differential and linear probabilities of Four-Cell are at most 2−55.39 and 2−52.96 respectively. However, this bound is tight only for a negligible number of input-output differences and masks. From the results of Section 6, the expected differential and linear probabilities are actually 2−110.5 and 2−105.79 respectively. Based on the true differential probability, we can show that if we split Four-Cell into two sub-ciphers with true differential probabilities p and q, then (pq)2 ≤ 2−221.57 2−128 . This will ensure Four-Cell is secure against boomerang attack. From the results of Section 7, there is a 10-round impossible differential attack based on a 7-round impossible differential distinguisher. In addition, from the results of Section 8, there is a 14-round attack based on an 11-round integral attack distinguisher. However, it is unlikely that these two attacks will work against the full cipher which will require a 21-round impossible differential/integral attack distinguisher.

86

J. Choy et al.

Furthermore, Four-Cell is secure against higher order differential and cube attacks after 9 rounds, because the algebraic degree of the cipher attains the maximum degree 127. We also see that interpolation attack might not work as the cipher will be a complex multivariable equation over GF (28 ). By analyzing the works in [3,4,5,12], we are able to show that the XSL attack (over GF (2) and GF (28 )) does not work on our cipher. Finally, Four-Cell is secure against slide attack because of its distinct round structures and distinct round subkeys. Full details on the analysis of Four-Cell can be found in the full version of our paper (with the same title) on the IACR cryptology eprint archive. 9.2

Implementation Considerations

The Four-Cell cipher uses 160 S-boxes based on the inversion function on GF (28 ). This is the same as the number of S-boxes used in AES. However only 25 MDS transform are used when compared to AES, which uses 40 MDS transforms. This might make the cipher faster in hardware implementations where the S-box and MDS are not combined into a T-table. Moreover, note that the computation of the nonlinear function in any 4 consecutive rounds of the cipher can be performed in parallel for faster encryption speed, giving it an added advantage over other GUFNs such as SMS4. Thus the Four-Cell cipher which (like the AES cipher) has provable security against existing block cipher attacks can be viewed as a viable alternative. Also note that although the inverse cipher of Four-cell is distinct from Four-cell itself and therefore coding might potentially take up more space in hardware, it is still useful for modes of operation such as counter mode, output feedback (OFB) mode, and cipher feedback (CFB) mode, where no inverse cipher is required.

Acknowledgement The authors would like to thank the anonymous reviewer of CT-RSA who pointed out the integral attack on Four-Cell.

References 1. Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993) 2. Biryukov, A., Wagner, D.: Slide Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999) 3. Cid, C., Leurent, G.: An Analysis of the XSL Algorithm. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 333–352. Springer, Heidelberg (2005) 4. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. IACR eprint server 2002/044 (March 2002), http://www.iacr.org 5. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)

Cryptographic Properties and Application of a GUFN Structure

87

6. Daemen, J., Rijmen, V.: The Design of Rijndael: AES, The Advanced Encryption Standard. Springer, Heidelberg (2002) 7. Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials, Cryptology Eprint Archive, Report 2008/385 8. Jakobsen, T., Knudsen, L.R.: Attacks on Block ciphers of Low Algebraic Degree. Journal of Cryptology 14, 197–210 (2001) 9. Knudsen, L.R., Wagner, D.: Integral Cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) 10. Lai, X.: On the Design and Security of Block Ciphers, Thesis (1992) 11. Lai, X., Massey, J.L., Murphy, S.: Markov Ciphers and Differential Cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991) 12. Lim, C.W., Khoo, K.: An Analysis of XSL Applied on BES. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 242–253. Springer, Heidelberg (2007) 13. Liu, F., Ji, W., Hu, L., Ding, J., Lv, S., Pyshkin, A., Weinmann, R.: Analysis of the SMS4 Block Cipher. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 158–170. Springer, Heidelberg (2007) 14. Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) 15. Matsui, M.: New Structure of Block Ciphers with Provable Security Against Differential and Linear Cryptanalysis. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 205–218. Springer, Heidelberg (1996) 16. Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002) 17. Nyberg, K.: Linear Approximation of Block Ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995) 18. Nyberg, K.: Generalized Feistel Networks. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996) 19. Park, S., Sang, S.H., Lee, S., Lim, J.: Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003) 20. Schneier, B., Kelsey, J.: Unbalanced Feistel Networks and Block-Cipher Design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996) 21. Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit Blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007) 22. Daemen, J., Knudsen, L., Rijmen, V.: The Block Cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) 23. Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999) 24. Wallen, J.: Design Principles of the KASUMI Block Cipher (June 2008), http://www.tml.tkk.fi/Opinnot/Tik-110.501/2000/papers/wallen.pdf 25. Wu, W., Zhang, W., Lin, D.: On the Security of Generalized Feistel Scheme with SP Round Function. International Journal of Network Security 3(3), 215–224 (2006) 26. Kim, J., Hong, S., Sung, J., Lee, S., Lim, J., Sung, S.: Impossible Differential Cryptanalysis for Block Cipher Structures. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 82–96. Springer, Heidelberg (2003)

88

A

J. Choy et al.

Tables Table 1. Frequencies of differential and linear hull probabilities

Differential Linear hull probability probability ≤ pn

≤ qn

≤ pn−1

≤ q n−1

≤ pn−2

≤ q n−2

.. .

.. .

≤ p3

≤ q3

≤ p2

≤ q2

≤ p2

≤ q2



Nd (x)/Nl (x)

# of elements in Δ (or Ω resp.) which are non-zero

B (2 − 1)n · (2nB − 1)

n

n (2B − 1)n−1 · (2nB − 1) n−1   n (2B − 1)n−2 · (2nB − 1) n−2 .. .   n B (2 − 1)3 · (2nB − 1) 3   n (2B − 1)2 · (2nB − 1) 2   n (2B − 1) · (2nB − 1) 1

n−1 n−2 .. . 3 2 1

Table 2. Distribution of proportions Differential Linear hull probability probability p4 q4 3 p q3 2 p q2

x

Pd (x)/Pl (x) n = 4, B = 8 n = 4, B = 16 4 0.9844663148 0.9999389662 3 0.1544260886 0.0000610323 2 0.0000910763 0.1396955440 × 10−8

Cryptographic Properties and Application of a GUFN Structure

B

89

Figures

Fig. 2. Sequence of differences(left)/mask values(right) for n + 1 rounds of GF-NLFSR

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT 1 ¨ Onur Ozen , Kerem Varıcı2, , Cihangir Tezcan3 , and C ¸ elebi Kocair4 1

2

EPFL IC LACAL Station 14. CH-1015 Lausanne, Switzerland [email protected] K.U.Leuven, Dept. of Electrical Engineering, ESAT/SCD/COSIC and IBBT Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium [email protected] 3 METU, Institute of Applied Mathematics, Department of Cryptography, 06531 Ankara, Turkey [email protected] 4 METU, Department of Computer Engineering, 06531 Ankara, Turkey [email protected]

Abstract. Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which Present and Hight are two recently proposed ones by Bogdanov et al. and Hong et al. respectively. In this paper, we propose new attacks on Present and Hight. Firstly, we present the first related-key cryptanalysis of 128bit keyed Present by introducing 17-round related-key rectangle attack with time complexity approximately 2104 memory accesses. Moreover, we further analyze the resistance of Hight against impossible differential attacks by mounting new 26-round impossible differential and 31-round related-key impossible differential attacks where the former requires time complexity of 2119.53 reduced round Hight evaluations and the latter is slightly better than exhaustive search. Keywords: Present, Hight, Related-Key Attack, Rectangle Attack, Impossible Differential Attack.

1

Introduction

Lightweight cryptography has become very vital with the emerging needs in sensitive applications like RFID (Radio-frequency identification) systems and 

This work was sponsored by the Research Fund K.U.Leuven, by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy) and by the European Commission through the ICT Programme under Contract ICT-2007-216676 (ECRYPT II). The information in this paper is provided as is, and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 90–107, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Lightweight Block Ciphers Revisited

91

sensor networks. For these types of special purposes, there is a strong demand in designing secure lightweight cryptographic modules. After the selection of AES (Advanced Encryption Standard) [1], the research on efficient implementation of AES, especially for such constrained environments, brought special attention in research community. Even though it is highly convenient for such devices, the research on designing and analyzing new lightweight block ciphers that are more efficient than AES on these platforms poses huge challenges. For this purpose, several block ciphers are designed as potential candidates such as Hight [2,3], Present [4], mCrypton [5], SEA [6], CGEN [7], DES [8] and DESXL [8]1 . A recent portfolio2 , which contains four software and three hardware oriented stream ciphers [11], has been announced by ECRYPT as part of eSTREAM project to identify new stream ciphers that might become suitable for widespread adoption including lightweight platforms. As a result, stream ciphers are shown to be highly efficient on both software and hardware implementations comparing to block ciphers. To fill this efficiency gap, Present [4] was proposed by Bogdanov et al. at CHES ’07 as an ultra-lightweight block cipher with 31 rounds offering as good hardware and software performance as current modern stream ciphers while it is more efficient than many known block ciphers. Basic security analysis of Present is provided in [4] by showing resistance against known attacks such as differential, linear cryptanalysis and their variants. Recent differential attacks [12,13] on 16 and 19 rounds of Present provide similar results as in the original proposal with some practical evidence of applied characteristics where the latter is an attempt to combine algebraic attacks with differential cryptanalysis. Another type of an attack called bit-pattern based integral attack [14] is applicable up to seven rounds of Present. More recently, a new type of attack, called statistical saturation attack was proposed in [15] and shown to be applicable up to 24 rounds of Present. Previous results on the analysis of Present are summarized in Table 1. The security of Present against key schedule weaknesses is provided by showing the resistance against slide [16] and related-key differential attacks [17] where slide attacks are inapplicable because of the round dependent counters in key scheduling algorithm. Related-key differential attacks, on the other hand, are also believed to be inapplicable because of the sufficient non-linearity due to key scheduling algorithm. Hight [2,3] is a South Korean standard encryption algorithm enjoying the use of a low-resource hardware implementation. It is a 32 round block cipher proposed one year before Present at CHES ’06 by Hong et al. to be used for ubiquitous computing devices. The prominent characteristic of Hight is that it makes use of simple byte oriented operations such as exclusive-or, addition modulo 256 and cyclic rotation which offers nice performance on hardware. 1

2

TEA [9] and XTEA [10] can also be given as lightweight block ciphers which were designed before AES. The original hardware-oriented portfolio of eSTREAM contains four hardwareoriented stream ciphers. However, F-FSCR-H has recently been eliminated from the eSTREAM portfolio.

92

¨ O. Ozen et al.

Table 1. Summary of the attacks on Present and Hight (CP-Chosen Plaintext, MAMemory Accesses, PR-Reduced round Present evaluation, HE-Reduced round Hight evaluation) Cipher Rounds Key Size

Attack Type

Data Time Memory Reference Complexity Complexity Complexity

Present

24 24 7 17 19

80 Stat. Sat. 260 CP 220 PR 216 bytes 80 Stat. Sat. 257 CP 257 PR 232 bytes 128 Bit-Pat. Int. 224.3 CP 2100.1 MA 277 bytes 128 Rel.-Key Rec. 263 CP 2104 MA 253 bytes 128 Alg.-Dif. 6 × 262 CP 2113 MA not specified

Hight

18 25 26 26 28 31

128 Imp. Dif. 128 Imp. Dif. 128 Imp. Dif. 128 Rel.-Key Rec. 128 Rel.-Key Imp. 128 Rel.-Key Imp.

246.8 CP 260 CP 261 CP 251.2 CP 260 CP 264 CP

2109.2 HE 2126.78 HE 2119.53 HE 2120.41 HE 2125.54 HE 2127.28 HE

not specified not specified 2109 bytes not specified not specified 2117 bytes

[15] [15] [14] §3.1 [13] [2] [18] §4.1 [18] [18] §4.2

The security of Hight is investigated in [2] by showing resistance against differential, linear, truncated differential, boomerang, rectangle, impossible differential attacks and their related-key variants. In [2], the safety margin was shown to be 13 rounds as the best attack covers 19 rounds. Recent serious attacks [19] by Lu on reduced round Hight make use of 25, 26 and 28 round impossible differential, related-key rectangle and related-key impossible differential attacks: the last attack is the best attack on Hight so far that reduced the safety margin from 13 rounds to four rounds. In this work, we present the first related-key cryptanalysis of Present. For 128-bit keyed version, we introduce 17-round related-key rectangle attack [20,21,22] which is not explicitly mentioned in the original proposal [4]. Moreover, we further analyze the resistance of Hight against impossible differential attacks [23,24]. Firstly, we improve 25-round impossible differential attack of Lu by introducing a new characteristic to 26 rounds and update 28-round relatedkey impossible differential attack on 31 rounds. To the best of our knowledge, these are the best cryptanalytic results on Hight. We provide a summary of our results in Table 1. The organization of the paper is as follows. In Section 2, we give a brief description of the block ciphers Present and Hight. Section 3 introduces the idea behind the related-key attacks on Present and contains related-key rectangle attack on 17-round. In Section 4, we introduce our improved impossible differential and related-key impossible differential attacks on reduced round Hight. We conclude with Section 5 and provide supplementary details about the paper in Appendices.

2 2.1

The Block Ciphers PRESENT and HIGHT Notation

For Present and Hight, we use the same notation to denote the variables used in this paper. For the sake of clarity and the parallelism with the previous work

Lightweight Block Ciphers Revisited

93

Table 2. Notation ⊕  ≪i Present-n-r Ki Si ej1 ,...,jk Hight-r ej ej,∼

Bitwise logical exclusive OR (XOR) Addition modulo 28 Left cyclic rotation by i bits Present reduced to r-rounds with n-bit secret key ith subkey of Present ith S-Box of Present A word with zeros in all positions but bits j1 , . . . , jk Hight reduced to r-rounds A byte with zeros in all positions but bit j (0  j  7) A byte that has zeros in bits 0 to j − 1, a one in bit j and indeterminate values in bits (j + 1) to 7 A byte that has zeros in bits 0 to j and indeterminate values in bits (j + 1) to 7 An arbitrary byte jth byte of state variable of round i of Hight, (0  j  7) (0  i  32) ith secret key byte of Hight ith whitening key byte of Hight ith subkey byte of Hight

e¯j,∼ ? Xi,j MKi W Ki SKi

[19], we use exactly the same notation for Hight which is provided in Table 2. Throughout the paper, it is assumed that the rounds are numbered from zero and the leftmost bit is the most significant bit in a byte or a word. 2.2

PRESENT

Present is a 31-round (and an output whitening at the end) SPN (Substitution Permutation Network) type block cipher with block size of 64 bits that supports 80 and 128-bit secret key. Round function of Present, which is depicted in Figure 1, is same for both versions of Present and consists of standard operations such as subkey XOR, substitution and permutation: At the beginning of each round, 64-bit input of the round function is XORed with the subkey. Just after the subkey XOR, 16 identical 4 × 4-bit S-boxes are used in parallel as a non-linear substitution layer and finally a permutation is performed so as to provide diffusion. The subkeys for each round are derived from the user-provided secret key by the key scheduling algorithm. We provide only the details of the key scheduling algorithm of Present-128 as it is the main target of this paper: 128-bit secret key is stored in a key register K and represented as k127 k126 . . . k0 . The subkeys Ki (0 ≤ i ≤ 31) consist of 64 leftmost bits of the actual content of register K. After round key Ki is extracted, the key register K is rotated by 61 bit positions

Ki

S15

S14

S13

S12

S11

S10

S9

S8

S7

S6

S5

S4

Fig. 1. Round function of Present

S3

S2

S1

S0

¨ O. Ozen et al.

94 X

X

i, 7

X

i, 6

X

i, 5

SK

F0

i+1, 7

X

i, 3

i+1, 6

X

i+1, 5

X

X

i, 1 4(i+1)−4

F0

X

i+1, 4

X

i+1, 3

i, 0

SK

4(i+1)−3

F1

X

i, 2

SK

4(i+1)−2

4(i+1)−1

X

X

i, 4

SK

F1

X

i+1, 2

X

i+1, 1

X

i+1, 0

Fig. 2. ith round of Hight for i = 0, . . . , 31

to the left, then S-box is applied to the left-most eight bits of the key register and finally the round counter value, which is a different constant for each round, is XORed with bits k66 k65 k64 k63 k62 . Further details about the specification of Present are provided in [4]. 2.3

HIGHT

Hight is a 32-round block cipher with 64-bit block size and 128-bit user key that makes use of an unbalanced Feistel Network. The encryption function starts with an Initial Transformation (IT) that is applied to plaintexts together with input whitening keys W Ks. At the end of 32 rounds, in order to obtain the ciphertexts, a Final Transformation (FT) is applied to the output of the last round together with an output whitening. The byte-oriented round function, shown in Figure 2, uses modular addition, XOR and linear subround functions F0 and F1 ; the latter can be described as follows: F0 (x) = (x ≪ 1) F1 (x) = (x ≪ 3)

⊕ (x ≪ 2) ⊕ (x ≪ 4)

⊕ (x ≪ 7) ⊕ (x ≪ 6)

Hight only works with 128-bit secret key M K which is treated as 16 bytes, (M K15 , . . . , M K0 ). The key schedule of Hight uses additional constants to avoid the self similarity in the key scheduling algorithm which prevents cipher from slide attacks. Input-output whitening keys and round subkeys are obtained by permuting the 16 bytes of the original key and using addition with constants. Table 9 will be extensively used in this paper that shows the relations between the original and the subkey bytes. Namely, each value in a row represents the obtained whitening and subkey bytes once the corresponding byte in the first column of the same row of the original key is known. Further details about the specification of Hight are provided in [2,3].

3

The Related-Key Attacks on PRESENT

The idea behind the related-key attacks on Present is to benefit from the slow mixing in the key scheduling algorithm which makes use of only one or two Sbox operations (depending on the version) during each iteration. To achieve this

Lightweight Block Ciphers Revisited

95

goal, we made an efficient search for related-key differentials of Present which was done by flipping at most two bits of the original key. The crucial part of the key differentials is that we only consider the trivial differentials. More precisely, all reduced round key differentials in our attacks work with probability one. In the original proposal of Present [4], the resistance against differential and linear attacks are given by the bounds provided by the minimum number of active S-boxes. This approach also works for showing resistance against wide variety of attacks. A recent differential attack [12] uses same idea to attack the cipher by increasing the overall probability of the characteristics more effectively. Although there is no contradiction with the security claims given in [4], the differential attack in [12] provides a practical evidence. In this work, however, our aim is quite different and simple in that we try to decrease the number of active S-boxes (NAS). In order to do so, we cancel the intermediate differences with the subkey differences and construct our differentials by activating at most five S-boxes at the beginning. At the end, we are able to construct related-key differentials having less active S-boxes than given in [12]. As an example, for Present-80, the minimum number of active S-boxes for any five-round differential characteristic is given to be ten in [4,12]. However, we found several five-round related-key differentials with only three active S-boxes. Although it seems quite promising, as the number of rounds increases, the minimum number of active S-boxes gets closer to the one given in the original proposal [12] and the overall probabilities of the characteristics are not optimal. Still, for less number of rounds the related-key differentials are efficient and the number of possible characteristics are quite high. So, attacks like the related-key rectangle attack are easily applicable. 3.1

The Related-Key Rectangle Attack on PRESENT-128-17

The related-key rectangle attack is the clever extension of differential cryptanalysis. In rectangle-boomerang style attacks, the attacker uses two short differential characteristics instead of one long differential characteristic. The aim is to benefit from the slow mixing in relatively reduced round versions of the attacked cipher. We provide a brief description about the related-key rectangle attack in Appendix A and follow the mounted attack on Present. Throughout the paper, the related-key rectangle attack is assumed to be mounted by using four related keys. Let E denote the encryption function of Present-n-r. We treat E as a cascade of four subciphers as E = Ef ◦ E1 ◦ E0 ◦ Eb where E is composed of a core E  = E1 ◦ E0 covered by additional rounds, Eb and Ef which are the subciphers before and after the core function respectively. For the related-key rectangle attack on Present-128-17, we use the following decomposition: E0 starts with the first round and ends just after the subkey XOR in round eight. E1 , on the other hand, commences with the substitution layer in round eight and stops at the end of round 143 . Round 0 and round 3

This decomposition is not unique and can be done in various ways.

96

¨ O. Ozen et al. Table 3. An example of related-key differential used in E0

r 1 2 3 4 5 6 7 8

Input Difference Δ(I) 00000000000000bb 0003000000000000 0000000000000000 0000000000000000 0000000004000000 0000004000000040 0000000200000202 0000010500000105

Key Difference Δ(K) 0000000000000000 0003000000000000 0000000000000000 00000c0000000000 0000000000000000 0000003000000000 0000000000000000 00000000c0000000

Δ(I) ⊕ Δ(K) 00000000000000bb 0000000000000000 0000000000000000 00000c0000000000 0000000004000000 0000007000000040 0000000200000202 00000105c0000105

Output Difference NAS P Δ(O) 0003000000000000 2 2−4 0000000000000000 0 1 0000000000000000 0 1 0000000004000000 1 2−3 0000004000000040 1 2−2 0000000200000202 2 2−4 0000010500000105 3 2−6 1

15 − 16 serve as the round before and after the distinguisher respectively (Eb and Ef )4 . All the differentials used in E0 have the same input difference α = e0,1,3,4,5,7 and they all work with the key difference ΔK 12 = e118,119 . There are at least 343 such characteristics with varying differences at the beginning of the seventh round: there exist one characteristics of probability p = 2−19 , 18 characteristics of probability p = 2−20 , 108 characteristics of probability p = 2−21 and 216 characteristics of probability p = 2−22 . Therefore the overall probability for E0  −19 is pˆ = 1 · (2 )2 + 18 · (2−20 )2 + 108 · (2−21 )2 + 216 · (2−22 )2 ≈ 2−17 . Table 3 shows one of the characteristics used for E0 . Given the α difference, the number of active S-boxes in Eb which lead to an α difference in round 1 can be found by applying the inverse permutation to α difference. This leads to six active S-boxes in the first round with varying output differences after the substitution layer. These six S-boxes are used to create the α difference before the core function. Since the output difference is known for all active S-boxes in round 0, namely 1x , not all of the input differences are possible. The number of possible input differences is only 215.5 instead of 224 . For the second subcipher E1 , we use the fixed output difference δ = e11,15 under the key difference ΔK 13 = e117,121 . The most efficient characteristic is provided in Table 4 with probability p = 2−12 . As it can be seen from the table, the overall probability for E1 is qˆ ≈ 2−12 . Thus, the probability of the relatedkey rectangle distinguisher is given by P r = 2−64 pˆ2 qˆ2 ≈ 2−122 . Similarly, the subcipher Ef after the core function can be defined by letting δ propagate. In round 15, there exist two active S-boxes with input differences 8x each leading to six output differences and these outputs are diffused to six different S-boxes after key addition in round 16 which produce 221.22 possible output differences in total out of 224 . To attack 17 round Present, we request 239 structures of 224 plaintexts each. The structures are chosen in such a way that each structure varies all over the possible inputs to the active S-boxes in Eb , while the differences for the other S-boxes are kept zero. Our aim is to get an α difference at the beginning of E0 . This technique for choosing plaintexts lets us 247 pairs in total for each structure in which 223 of them satisfy α difference before E0 . Thus, the total 4

We exclude the output whitening in our attack.

Lightweight Block Ciphers Revisited

97

Table 4. An example of related-key differential used in E1 r 14 13 12 11 10 9 8

Output Difference Δ(O) 0000000000008800 0000000000000000 0000000000000000 0000000000600060 0000000008800000 0000000000000000

Key Difference Δ(K) 0000000000008800 0000000000000000 0000000000220000 0000000000000000 0000000008800000 0000000000000000

Δ(I) ⊕ Δ(K) 0000000000000000 0000000000000000 0000000000220000 0000000000600060 0000000000000000 0000000000000000 0000000000000000

P −1 (S −1 (I ⊕ K)) NAS

P

0000000000000000 0000000000000000 0000000000600060 0000000008800000 0000000000000000 0000000000000000 0000000000000000

1 1

0 0 2 2 0 0

2−6 2−6 1 1

number of pairs with an α difference before the core function is 262 that produce approximately 2124 quartets of which 2124 · 2−64 · 2−58 = 22 = 4 are expected to be right. The overall attack works as follows: 1. Generate 239 structures of 224 plaintexts and encrypt each structure of plaintexts with K 1 , K 2 , K 3 and K 4 to obtain the corresponding pool of ciphertexts C j where 1 ≤ j ≤ 4. – This step requires data complexity of 263 chosen plaintexts and time complexity of 265 Present-128-17 encryptions. 2. Generate 224+8+24 = 256 counters each of which corresponds to a different key guess in Eb and Ef respectively. – Time complexity of this step is 256 memory accesses. 1 3 3. Insert 265 ciphertexts (C 1 , C 3 ) and (C 2 , C 4 ) into hash tables (T13 , T13 ) and 2 4 (T24 , T24 ) respectively indexed by 40 (expected inactive) bits. If a collision 1 3 2 4 occurs in the same bins of (T13 , T13 ) and (T24 , T24 ), check whether the differences of the collided ciphertexts are one of the 221.22 expected ciphertext differences. – This step has time complexity of 265 memory accesses from inserting all the ciphertext into hash tables. In the hash tables there exist 240 bins and in each bin we expect to have 223 ciphertexts. Therefore, we can 1 2 form (223 )2 = 246 pairs where one of the components from T13 (T24 ) and 3 4 86 the other is from T13 (T24 ). That makes 2 pairs in total for each pair 1 3 2 4 of tables (T13 , T13 ) and (T24 , T24 ). In order to check whether colliding ciphertexts’ differences are one of the expected ciphertext differences we have to make 287 memory accesses in total. The number of remaining 1 3 2 4 pairs is 286−2.78 = 283.22 for each of (T13 , T13 ) and (T24 , T24 ) since the probability of having expected difference in the ciphertexts is 221.22−24 = 2−2.78 . 4. For each surviving pair (C1 , C3 ) (and (C2 , C4 )) from the previous step, find the corresponding plaintext pairs (P1 , P3 ) (and (P2 , P4 )) from the structures. For each such pair, check whether P1 ⊕ P2 satisfies the required difference in Eb . If this check succeeds, examine the ciphertexts C3 and C4 that collided with C1 and C2 respectively. If the difference between the corresponding plaintexts P3 and P4 also satisfies the required difference in Eb , continue to analyze the quartet ((P1 , P2 ), (P3 , P4 )).

¨ O. Ozen et al.

98

– The probability that P1 ⊕P2 satisfies the required difference is 215.5−24 = 2−8.5 , if they are in the same structure. So, the probability that the required difference is satisfied is 2−8.5−39 = 2−47.5 under the assumption of uniform distribution of plaintexts and structures. This reduces the 1 3 number of pairs satisfying the condition in (T13 , T13 ) to 283.22−47.5 = 35.72 35.72 2 4 2 . Similarly, there exist 2 pairs in (T24 , T24 ). Thus, we can form (235.72 )2 = 271.44 quartets satisfying the conditions in Eb and Ef . In order to do this filtering we have to make 284.22 memory accesses. 5. For each remaining quartet ((P1 , P2 ), (P3 , P4 )), ((C1 , C2 ), (C3 , C4 )) and every possible subkey value (kb and kf independently) of Eb and Ef test whether Ebkb (P1 ) ⊕ Eb  (P2 ) = Eb k b

 k b

(P3 ) ⊕ Eb

 k b

(P4 ) = α

Ef−1 (C1 ) ⊕ Ef−1 (C3 ) = Ef−1 (C2 ) ⊕ Ef−1 (P4 ) = δ k f

k f

k f

k f



where kb = kb ⊕ ΔK 12 



and kb = kb ⊕ ΔK 12 , 

where kf = kf ⊕ ΔK 13 



and kf = kf ⊕ ΔK 13 hold.

If this is the case, increment the counters that correspond to kb , kf . – In this step, every surviving quartet is partially encrypted (in Eb ) and decrypted (in Ef ) independently. As the number of subkeys guessed are more in Ef than in Eb , the overall complexity of this step is 271.44+32 = 2103.44 memory accesses and half round decryptions (as eight S boxes are affected in total); the latter is equivalent to 299 Present-128-17 evaluations. 6. Output the subkeys whose counters are maximal. – This step requires 256 memory accesses. Since α difference after Eb can be obtained from 215.5 input differences in step 5, the probability that the intermediate difference is α before the core function is 2−15.5 on average. Thus, each subkey is suggested by a quartet with probability 2−31 . Similarly, the probability that the difference after the core function has an δ difference is 2−21.22 on average leading to 2−42.44 of the subkeys by the quartets. Each of the 271.44 quartets that enter step 5 suggests 256−2×15.5−2×21.22 = 2−17.44 subkeys, so the total number of suggested subkeys is about 254 . As there are 256 subkeys, the expected number of times a wrong subkey is suggested is about 2−2 . This means that we can find the right subkey or at least discard almost all the wrong subkeys. Thus, the overall attack has memory complexity of 253 bytes, time complexity of 2104 memory accesses and data complexity of 263 chosen plaintexts. The expected number of right quartets is taken to be four.

4

Impossible Differential Attacks on HIGHT

In this section, we introduce improved impossible differential attack on 26-round and related-key impossible differential attack on 31-round Hight which utilize

Lightweight Block Ciphers Revisited

99

Table 5. 26-Round impossible differential ΔX0 ΔX1 ΔX2 ΔX3 ΔX4

ΔXi,7 ΔXi,6 ΔXi,5 ΔXi,4 ΔXi,3 ΔXi,2 ΔXi,1 ΔXi,0 ? ? ? ? ? e0,∼ 0 0 ? ? ? ? e0,∼ 0 0 0 ? ? ? e0,∼ 0 0 0 0 ? ? e0,∼ 0 0 0 0 0 ? e0,∼ 0 0 0 0 0 0

ΔX5 ΔX6 ΔX7 ΔX8 ΔX9 ΔX10 ΔX11 ΔX12 ΔX13

e0,∼ 0 0 0 0 ? ? ? e0,∼

0 0 0 0 ? ? ?

0 0 0 0 ? ?

e0,∼ ?

ΔX13 ΔX14 ΔX15 ΔX16 ΔX17 ΔX18 ΔX19 ΔX20 ΔX21

e¯ 0,∼ 80x 0 0 0 0 0 0 0

80x 0 0 0 0 0 0 0 80x

e2,∼ 80x 0

ΔX22 ΔX23 ΔX24 ΔX25 ΔX26

80x 0 0 0 ?

0 0 0 ? ?

0 0 0 ? ?

FT

?

?

?

0 0 0 ? ?

0 0 0 ?

0 0 ? e0,∼ 0 0 ? ? ?

0 0 e0,∼ 0 0 0 ? ? ?

SK3 SK7 SK11 SK15 SK19

Subkeys SK2 SK1 SK6 SK5 SK10 SK9 SK14 SK13 SK18 SK17

SK0 SK4 SK8 SK12 SK16

0 e0,∼ 0 0 0 ? ? ? ?

SK23 SK27 SK31 SK35 SK39 SK43 SK47 SK51 SK55

SK22 SK26 SK30 SK34 SK38 SK42 SK46 SK50 SK54

SK21 SK25 SK29 SK33 SK37 SK41 SK45 SK49 SK53

SK20 SK24 SK28 SK32 SK36 SK40 SK44 SK48 SK52

SK55 SK59 SK63 SK67 SK71 SK75 SK79 SK83 SK87

SK54 SK58 SK62 SK66 SK70 SK74 SK78 SK82 SK86

SK53 SK57 SK61 SK65 SK69 SK73 SK77 SK81 SK85

SK52 SK56 SK60 SK64 SK68 SK72 SK76 SK80 SK84

e0,∼ 0 ?

e0,∼ 0 ? ?

e0,∼ 0 0 ? ?

?

?

?

?

?

?

? ? ? ? ?

? ? ? ?

? ? ?

? ?

? e0,∼ 80x 0 0 0 0 0

e0,∼ 80x 0 0 0 0 0 0 e0,∼ 80x 0 0 ? 0

e2,∼ 80x 0 0 0 0 ? ? e¯ 0,∼ ?

e0,∼ 80x 0 0 0 0 0 ?

e0,∼ 80x 0 0 0 0 0 ?

e0,∼ 80x

e0,∼ 80x 0

0 e0,∼ 80x 0 0

e¯ 0,∼

80x

0

SK91 SK90 SK89 SK88 SK95 SK94 SK93 SK92 SK99 SK98 SK97 SK96 SK103 SK102 SK101 SK100 W K7 W K6 W K5 W K4

16-round impossible differential and 22-round related-key impossible differential characteristics respectively. For impossible differential attack on 26-round Hight, we use a similar characteristic as in [19] which enables us to attack 26round of Hight with a lower complexity. However, we use better characteristic for related-key impossible differential attack. The process of both attacks is similar. First, a data collection part is processed for the generation of necessary plaintext-ciphertext pairs. Then, to guarantee the impossible differential characteristic, pairs are filtered by checking the conditions at each intermediate rounds. At the end, the guessed key is eliminated if any one of the remaining pairs satisfies the impossible differential characteristic. 4.1

Impossible Differential Attack on HIGHT-26

We use the following 16-round impossible differential which is also given in Table 5 in detail: (e0,∼ , 0, 0, 0, 0, 0, 0, 0)  (0, 80x , 0, 0, 0, 0, 0, 0) In Table 5, the contradictory differences and the guessed subkey bytes in the attack are labeled with gray background. The differences used here are considered with respect to XOR operation and shown as hexadecimal. The propagation of the differences can easily be checked by the properties of addition and linear subround functions Fi . Contradiction is shown by miss in the middle manner at values X13,7 . This attack covers the rounds 0 - 25 and excludes the input whitening as done in [19]. Overall attack on 26-round Hight works as follows:

100

¨ O. Ozen et al.

1.) Data Collection (i) Choose 213 structures of 248 plaintexts each where the bytes (1, 0) have fixed values, bytes (7, 6, 5, 4, 3) and most significant 7 bits of the byte (2) take all possible values. – Such a structure of plaintexts propose 294 plaintext pairs and so we get 2107 pairs in total. (ii) Obtain all the ciphertexts C i of the plaintexts P i . Choose only the ciphertext pairs satisfying the difference (?, ?, ?, ?, e¯0,∼ , 80x , 0, 0). – This step can be done by inserting all the ciphertexts into a hash table indexed by expected inactive bits and choosing the colliding pairs which satisfy the required difference. There is a 25-bit filtering condition over the ciphertext pairs. Therefore, 282 pairs remain. 2.) Filtering and Key Elimination We have 28 similar steps given in Table 6 to reach impossible differential characteristic and eliminate the wrong key values. Let us look at the first step as an example. Guess M K3 and partially encrypt every plaintext pairs by using SK3 to obtain (7, 0)-th bytes of X1 (The relation between the M K values and SK values are given in the Table 9). The expected difference for the (7, 0)-th bytes is (?, 0) which comes up with an eight-bit condition. Therefore, the number of total pairs is decreased to 282−8 = 274 after this step. In this step, we partially encrypt 282 pairs with the guessed eight-bit of the secret key. Each partial encryption is equivalent to 1/4th of a round of Hight and the overall attack is done on 26 rounds. Thus, the complexity of this step is 1 2 · 282 · 28 · 14 · 26 ≈ 284.30 26-round Hight encryptions. Remaining steps given in Table 6 follow similarly. Moreover, if the secret key byte M K is already guessed and known for the required subkey SK, it is directly used and since most of the previous conditions are preserved for the next rounds there does not exist too much conditions on the evaluation process of intermediate rounds. In step 28, if a pair satisfies the impossible differential characteristic, we eliminate that guessed key. Since there is an eight-bit condition, every pair eliminates 2−8 of the keys. Therefore after the first pair, there remain 2112 − 2104 = 2112 ·(1 − 2−8 ) keys. After the second pair, it is expected to have 2112 ·(1 − 2−8 )− 2112 · (1 − 2−8 ) · 2−8 = 2112 · (1 − 2−8 )2 remaining keys. Following that manner, 112 −8 211 100.46 after the last pair, we have remaining  2 (1 − 2 ) ≈ 2  keys. Complex1 112 −8 −8 211 −1 ity of this step is 2 · 2 1 + (1 − 2 ) + . . . + (1 − 2 ) · 14 · 26 ≈ 2114.30 Hight encryptions. 3.) Final Step For every recorded 112 bit key at the end of Step 28, we obtain the remaining 16 bits and the original key itself with exhaustive search by checking over two plaintext-ciphertext pairs. The probability that a wrong key is suggested is approximately 2−64×2 = 2−128 . So, the expected number of wrong keys is about 2−128 · 2116.46 = 2−11.54 . Thus, it is very likely that we can find the correct key.

Lightweight Block Ciphers Revisited

101

Table 6. 26-Round impossible differential attack Use

Obtain

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Guess Key Byte M K3 M K1 M K2 M K7 M K0 M K4 M K8 M K6 M K11 M K15 -

SK3 W K7 , SK103 SK2 SK7 W K6 , SK102 SK98 W K5 , SK101 SK97 SK93 SK1 SK6 SK11 W K4 , SK100 SK96 SK92 SK88

(7, 0) of X1 (7, 6) of X25 (6, 5) of X1 (7, 0) of X2 (5, 4) of X25 (5, 4) of X24 (3, 2) of X25 (3, 2) of X24 (3, 2) of X23 (4, 3) of X1 (6, 5) of X2 (7, 0) of X3 (1, 0) of X25 (1, 0) of X24 (1, 0) of X23 (1, 0) of X22

17 18 19 20 21 22 23 24 25 26 27 28

M K5 M K10 M K14 M K9 -

SK0 SK5 SK10 SK15 SK99 SK95 SK91 SK87 SK4 SK9 SK14 SK19

(2, 1) of X1 (4, 3) of X2 (6, 5) of X3 (7, 0) of X4 (7, 6) of X24 (7, 6) of X23 (7, 6) of X22 (7, 6) of X21 (2, 1) of X2 (4, 3) of X3 (6, 5) of X4 (7, 0) of X5

Check Condition Remaining Time Difference (In terms of bits) Pairs Complexity(HE) 74 (?, 0) 8 2 ≈ 284.30 (0, ?) 8 266 ≈ 284.30 266 ≈ 284.30 (?, 0) 8 258 ≈ 292.30 258 ≈ 292.30 (0, ?) 8 250 ≈ 2100.30 50 2 ≈ 292.30 250 ≈ 292.30 (0, ?) 8 242 ≈ 2100.30 242 ≈ 292.30 242 ≈ 2100.30 (?, 0) 8 234 ≈ 2108.30 234 ≈ 2100.30 34 2 ≈ 2100.30 34 2 ≈ 2108.30 (0, e0,∼ ) 8 226 ≈ 2108.30 226 ≈ 2100.30 226 ≈ 2108.30 226 ≈ 2116.30 (?, 0) 8 218 ≈ 2116.30 218 ≈ 2108.30 18 2 ≈ 2108.30 18 2 ≈ 2116.30 (0, 80x ) 7 211 ≈ 2116.30 211 ≈ 2109.30 211 ≈ 2117.30 211 ≈ 2117.30 (e0,∼ , 0) 8 ≈ 2114.30

The total complexity of the steps given in Table 6 is 2119.35 . Since we have approximately 2100.46 remaining keys before the final step, the complexity of the final step is 2100.46+16 = 2116.46 . Therefore, the overall complexity of the attack is 2119.35 + 2116.46 = 2119.53 26-round Hight evaluations, 261 chosen plaintexts of data and 2109 bytes of memory. 4.2

Related-Key Impossible Differential Attack on HIGHT-31

In this section, we introduce our related-key impossible differential attack on 31-round Hight which utilizes a new 22-round related-key impossible differential. The differences of this attack from [19] are the used related-key impossible differential and the overall complexity which makes use of a related-key impossible differential of three more rounds. We use the following 22-round impossible differential which is given in Table 7 in detail: (0, 0, 0, 0, 0, 0, 80x, 0)  (0, 0, 0, 80x, 0, 0, 0, 0) The related-key impossible differential occurs by using the key difference (ΔM K15 , ΔM K14 , . . . , ΔM K0 ) = (80x , 0, . . . , 0). The contradiction occurs at values X17,3 and can be shown similarly by miss in the middle manner which is given in Table 7 where the contradictory differences and the subkey bytes having nonzero differences are shown with gray background. The related-key impossible differential was found by imposing the difference 80x to all 16 key bytes and observing the impossibility at the differentials. It can be concluded that the best

102

¨ O. Ozen et al. Table 7. 31-Round related-key impossible differential ΔX0 ΔX1 ΔX2 ΔX3 ΔX4 ΔX5 ΔX6 ΔX7 ΔX8 ΔX9 ΔX10 ΔX11 ΔX12 ΔX13 ΔX14 ΔX15 ΔX16 ΔX17

ΔXi,7 ΔXi,6 ΔXi,5 ΔXi,4 ΔXi,3 ΔXi,2 ΔXi,1 ΔXi,0 ? ? ? e0,∼ 80x 0 ? ? ? ? e0,∼ 80x 0 0 ? ? ? e0,∼ 80x 0 0 0 ? ? e0,∼ 80x 0 0 0 0 ? ? 80x 0 0 0 0 0 ? e2,∼ 0 0 0 0 0 0 e2,∼ 80x 0 0 0 0 0 0 0 e2,∼ 80x 0 80x ? ? ? ?

0 0 0 0 0 0 e2,∼ 80x 0 80x ? ? ? ?

0 0 0 0 0 0 80x 0 0 0 ? ?

0 0 0 0 0 80x 0 0 0 ? ? ?

e0,∼

e0,∼ ?

e0,∼ 80x 0 0 0 0 0 0 0 0 0 80x

80x 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0

e2,∼ 80x 0 0 0 0 0

e2,∼ 80x 0 0 0 0 0 0

0 0 0 0

0 0 0 0

0 0 ? 0

0 0 ? ?

0 ? e0,∼ ?

ΔX17 ΔX18 ΔX19 ΔX20 ΔX21 ΔX22 ΔX23 ΔX24 ΔX25 ΔX26 ΔX27 ΔX28

e0,∼ 80x 0 0 0 0 0 0 0

e0,∼ 80x 0 0 0 0 0 0 0 0

? e0,∼ 80x 0 0 0 0 0 0 0 0 0

ΔX29 ΔX30 ΔX31 FT

0 e2,∼ 80x e0,∼

e2,∼ 80x 0 80x

80x 0 0 0

0 0 0 0 0 0 0 0 0 ? ?

0 0 0 0 0 0 0 0 ? ?

80x 0 0 0 0 0 0 0 ? e0,∼ 80x e0,∼ ? ? ? ? ?

0 0 0 0 0 0 0 ? e0,∼ 80x e0,∼ ? ? ? ? ?

SK3 SK7 SK11 SK15 SK19 SK23

Subkeys SK2 SK1 SK6 SK5 SK10 SK9 SK14 SK13 SK18 SK17 SK22 SK21

SK0 SK4 SK8 SK12 SK16 SK20

SK27 SK31 SK35 SK39 SK43 SK47 SK51 SK55 SK59 SK63 SK67 SK71

SK26 SK30 SK34 SK38 SK42 SK46 SK50 SK54 SK58 SK62 SK66 SK70

SK25 SK29 SK33 SK37 SK41 SK45 SK49 SK53 SK57 SK61 SK65 SK69

SK24 SK28 SK32 SK36 SK40 SK44 SK48 SK52 SK56 SK60 SK64 SK68

SK71 SK75 SK79 SK83 SK87 SK91 SK95 SK99 SK103 SK107 SK111 SK115

SK70 SK74 SK78 SK82 SK86 SK90 SK94 SK98 SK102 SK106 SK110 SK114

SK69 SK73 SK77 SK81 SK85 SK89 SK93 SK97 SK101 SK105 SK109 SK113

SK68 SK72 SK76 SK80 SK84 SK88 SK92 SK96 SK100 SK104 SK108 SK112

SK119 SK118 SK117 SK116 SK123 SK122 SK121 SK120 W K7 W K6 W K5 W K4

related-key impossible differential is 22 rounds and it can not be extended by the same technique5 . Using this related-key impossible differential, we can attack up to 31 rounds of Hight. This attack covers the rounds 0 - 30 and excludes the input whitening as done in 26-round impossible differential attack [19]. We use the related-key impossible differential characteristic to attack 31-round of Hight which is detailed in Table 7. The attack can be described as follows. 1.) Data Collection (i) Choose 215 structures of 248 plaintexts each where the byte (2) and the least significant seven bits of the byte (3) are fixed to certain values. The bytes (7, 6, 5, 1, 0) and the most significant seven bits of the byte (7) contain every possible values. – There exist 2110 plaintext pairs in total which are encrypted by the prescribed difference in the key. (ii) Obtain all the ciphertexts C i of the plaintexts P i encrypted with K 1 and  ciphertext C i of the plaintexts P i encrypted with K 2 where K 1 ⊕ K 2 =  (80x , 0, . . . , 0). Choose only the ciphertext pairs (C i , C j ) satisfying the difference (e0,∼ , 80x , 0, 0, 0, 0, ?, ?). 5

A similar attack with the same complexity can be mounted by imposing the difference 80x to M K9 instead of M K15 .

Lightweight Block Ciphers Revisited

103

Table 8. 31-Round related key impossible differential attack Guess Use Obtain Check Condition Remaining Time Key Byte Difference (In terms of bits) Pairs Complexity(HE) M K0 SK0 (2, 1) of X1 (0, ?) 8 bits 261 ≈ 271.05 M K3 SK3 (7, 0) of X1 261 ≈ 271.05 M K4 SK4 (2, 1) of X2 (0, ?) 8 bits 253 ≈ 279.05 M K9 W K4 , SK120 (1, 0) of X30 (0, ?) 8 bits 245 ≈ 279.05 43 M K12 W K7 , SK123 (7, 6) of X30 (e2,∼ , 80x ) 2 bits 2 ≈ 279.05 35 6 SK119 (7, 6) of X29 (0, e2,∼ ) 8 bits 2 ≈ 277.05 7 M K2 SK2 (6, 5) of X1 235 ≈ 277.05 8 M K7 SK7 (7, 0) of X2 235 ≈ 285.05 9 M K8 SK8 (2, 1) of X3 (0, ?) 8 bits 227 ≈ 293.05 10 M K11 W K6 , SK122 (5, 4) of X30 227 ≈ 293.05 11 SK118 (5, 4) of X29 227 ≈ 293.05 12 SK114 (5, 4) of X28 (0, 80x ) 5 bits 222 ≈ 293.05 13 M K1 SK1 (4, 3) of X1 222 ≈ 296.05 22 14 M K6 SK6 (6, 5) of X2 2 ≈ 2104.05 22 15 SK11 (7, 0) of X3 2 ≈ 2104.05 16 SK12 (2, 1) of X4 (0, ?) 8 bits 214 ≈ 2104.05 17 M K5 SK5 (4, 3) of X2 214 ≈ 2104.05 18 M K10 SK10 (6, 5) of X3 214 ≈ 2112.05 19 M K15 SK15 (7, 0) of X4 (80x , e2,∼ ) 2 bits 212 ≈ 2120.05 20 SK16 (2, 1) of X5 (0, e2,∼ ) 8 bits 24 ≈ 2118.05 21 SK9 (4, 3) of X3 24 ≈ 2110.05 22 M K14 SK14 (6, 5) of X4 24 ≈ 2118.05 4 23 SK19 (7, 0) of X5 2 ≈ 2118.05 24 SK20 (2, 1) of X6 (0, 80x ) 5 bits ≈ 2117.89 1 2 3 4 5

– This step can be done by inserting all the ciphertexts into a hash table indexed by expected inactive bits and choosing the colliding pairs which satisfy the required difference. There is 41-bit filtering condition over the ciphertext pairs. Therefore 269 pairs remain. 2.) Filtering and Key Elimination We follow the steps as in 26-round attack which is given in Table 8 to reach impossible differential characteristic. In step 24, if a pair satisfies the impossible differential characteristic, we eliminate the corresponding guessed key. Since there is five-bit condition, each pair 4 eliminates 2−5 of the keys and after the last pair there remain 2120 (1 − 2−5 )2 ≈ 2119.27 keys. 3.) Final Step: For every recorded 120 bit key (M K0 , . . . , M K12 , M K14 , M K15 ), obtain the remaining eight bits of the key by exhaustive search by checking over three plaintext-ciphertext pairs. The probability that a wrong key is suggested is approximately 2−64×3 = 2−192 . So, the expected number of wrong keys is about 2−192 · 2127.27 = 2−64.73 . It is very likely that we can find the correct key. The total complexity of the steps given in Table 8 is approximately 2121.03 . Since there exists 2119.27 remaining keys, the complexity of the final step is approximately 2127.27 . Therefore, the complexity of this whole attack is 2127.28 31-round Hight computations. Even if this attack is not significant compared to the exhaustive search, it is still an important result against Hight which reduces the safety margin of Hight to one round.

104

5

¨ O. Ozen et al.

Conclusion

In this paper, we present the first related-key cryptanalysis of Present and improve the recent impossible differential attacks on Hight. Although our attacks are totally theoretical and have no practical implications, they show new results for both ciphers. The related-key attacks on Present can be seen as a new approach to see the security of the cipher. Hight, on the other hand, was shown to be secure up to 19 rounds in the original proposal and recently attacked up to 28 rounds. However, our results show that the security of Hight can be further reduced up to one round.

Acknowledgements The authors would like to thank anonymous reviewers of ACISP 2009 for pointing out recent results on Present and Jonsung Kim for the additional information about Hight. We also like to thank Meltem S¨ onmez Turan, Shahram Khazaei and Martijn Stam for reviewing the previous versions of the paper. The simulations were run on the HPC Cluster of the Department of Computer Engineering, Middle East Technical University.

References 1. Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, New York (2002) 2. Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: A New Block Cipher Suitable for Low-Resource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006) 3. South Korea Telecommunications Technology Associations (TTA). 64-bit Block Cipher HIGHT. Standardization Number TTAS.KO-12.0040, December 27 (2006) 4. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) 5. Lim, C.H., Korkishko, T.: mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006) 6. Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: A Scalable Encryption Algorithm for Small Embedded Applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006) 7. Robshaw, M.J.B.: Searching for Compact Algorithms: CGEN. In: Nguyˆen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 37–49. Springer, Heidelberg (2006) 8. Leander, G., Paar, C., Poschmann, A., Schramm, K.: New Lightweight DES Variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007) 9. Wheeler, D.J., Needham, R.M.: TEA, a Tiny Encryption Algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 363–366. Springer, Heidelberg (1995)

Lightweight Block Ciphers Revisited

105

10. Wheeler, D.J., Needham, R.M.: TEA Extensions (October 1997) 11. The eSTREAM Portfolio. The eSTREAM Project (September 2008), http://www.ecrypt.eu.org/stream/ 12. Wang, M.: Differential Cryptanalysis of Reduced-Round PRESENT. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 40–49. Springer, Heidelberg (2008) 13. Albrecht, M., Cid, C.: Algebraic Techniques in Differential Cryptanalysis. To appear in proceedings of FSE (2009) 14. Z’aba, M.R., Raddum, H., Henricksen, M., Dawson, E.: Bit-Pattern Based Integral Attack. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 363–381. Springer, Heidelberg (2008) 15. Collard, B., Standaert, F.-X.: A Statistical Saturation Attack against the Block Cipher PRESENT. To appear in proceedings of CT-RSA (2009) 16. Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen [26], pp. 245–259 17. Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology 7(4), 229–246 (1994) 18. Lu, J.: Cryptanalysis of Block Ciphers. PhD thesis, Royal Holloway, University of London, England (July 2008) 19. Lu, J.: Cryptanalysis of Reduced Versions of the HIGHT Block Cipher from CHES 2006. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 11–26. Springer, Heidelberg (2007) 20. Biham, E., Dunkelman, O., Keller, N.: Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005) 21. Biham, E., Dunkelman, O., Keller, N.: New Combined Attacks on Block Ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 126–144. Springer, Heidelberg (2005) 22. Biham, E., Dunkelman, O., Keller, N.: The Rectangle Attack - Rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340– 357. Springer, Heidelberg (2001) 23. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. Journal of Cryptology 18(4), 291–311 (2005) 24. Biham, E., Biryukov, A., Shamir, A.: Miss in the Middle Attacks on IDEA and Khufu. In: Knudsen [26], pp. 124–138 25. Dunkelman, O.: Techniques for Cryptanalysis of Block Ciphers. PhD thesis, Technion, Israel (February 2006) 26. Knudsen, L.R. (ed.): FSE 1999. LNCS, vol. 1636. Springer, Heidelberg (1999)

106

A

¨ O. Ozen et al.

A Brief Description of Related-Key Rectangle Attack

Let E denote the encryption function of the attacked cipher which is treated as a cascade of four subciphers as E = Ef ◦ E1 ◦ E0 ◦ Eb where the core E  = E1 ◦ E0 is covered by additional rounds called Eb and Ef which are the subciphers before and after the core function respectively to be used in key recovery. The relatedkey differential is the quadruple (ΔX, ΔY, ΔK, p) satisfying following under the nonlinear K-keyed function FK , P r[FK (P ) ⊕ FK⊕ΔK (P ⊕ ΔX) = ΔY ] = p.

Here, ΔX and ΔY are the corresponding input and output differences respectively, ΔK the key difference and p is the corresponding probability. We say ΔK the related-key differential characteristics ΔX → ΔY holds with probability P r = p. ΔK 12

Let α −−−−→ β with probability p be the first related-key differential used ΔK 13

for E0 and γ −−−−→ δ with probability q be the second differential used for E1 . Here, (α, β) and (γ, δ) stand for the input-output differences for E0 and E1 respectively. Wedefine pˆ and qˆ as the probabilities related to α and δ respectively  2 2 as follows: pˆ = P (α → β) and q ˆ = β ΔK 12 γ PΔK 13 (γ → δ). Here, β and γ are the possible differences at the end of E0 and at the beginning of E1 . The key differences ΔK 12 = K 1 ⊕ K 2 = K 3 ⊕ K 4 and ΔK 13 = K 1 ⊕ K 3 = K 2 ⊕ K 4 are the respective key differences for the subciphers E0 and E1 . The subciphers before and after the core function are formed according to the α and δ differences. The basic related-key rectangle attack for the core function works as follows: – Take a randomly chosen plaintext P1 and form P2 = P1 ⊕ α.   – Obtain the corresponding ciphertexts C1 = EK 1 (P1 ) and C2 = EK 2 (P2 ), 2 1 12 where K = K ⊕ ΔK . – Pick another randomly chosen plaintext P3 and form P4 = P3 ⊕ α.   – Obtain the corresponding ciphertexts C3 = EK 3 (P3 ) and C4 = EK 4 (P4 ), 3 1 13 4 3 12 where K = K ⊕ ΔK and K = K ⊕ ΔK . – Check C1 ⊕ C3 = C2 ⊕ C4 = δ. The probability of the rectangle distinguisher is given by P r = 2−n pˆ2 qˆ2 where n is the block size. If pˆ · qˆ is sufficiently high, the rectangle distinguisher works. As shown in [25], if the expected number of right quartets is taken to be four, then there is at least one right quartet in the data set with probability 0.982 since it is a Poisson distribution with expectation of four. Therefore, for this success rate, the number of plaintext pairs needed is N = 2n/2+1 /ˆ pqˆ that consist of 2n+2 /ˆ p2 qˆ2 quartets expecting four right quartets at a time. Further details about rectangle and boomerang attacks can be found in [20,21,22,25].

Lightweight Block Ciphers Revisited

B

Key Schedule Properties of HIGHT Table 9. Relations of the original key with whitening keys and subkeys Original Whitening Key Keys MK15 W K3 SK15 MK14 W K2 SK14 MK13 W K1 SK13 MK12 W K0 SK12 MK11 W K15 SK11 MK10 W K14 SK10 MK9 W K13 SK9 MK8 W K12 SK8 MK7 W K11 SK7 MK6 W K10 SK6 MK5 W K9 SK5 MK4 W K8 SK4 MK3 W K7 SK3 MK2 W K6 SK2 MK1 W K5 SK1 MK0 W K4 SK0

Subkeys SK24 SK31 SK30 SK29 SK28 SK27 SK26 SK25 SK16 SK23 SK22 SK21 SK20 SK19 SK18 SK17

SK41 SK40 SK47 SK46 SK45 SK44 SK43 SK42 SK33 SK32 SK39 SK38 SK37 SK36 SK35 SK34

SK58 SK57 SK56 SK63 SK62 SK61 SK60 SK59 SK50 SK49 SK48 SK55 SK54 SK53 SK52 SK51

SK75 SK74 SK73 SK72 SK79 SK78 SK77 SK76 SK67 SK66 SK65 SK64 SK71 SK70 SK69 SK68

SK92 SK91 SK90 SK89 SK88 SK95 SK94 SK93 SK84 SK83 SK82 SK81 SK80 SK87 SK86 SK85

SK109 SK108 SK107 SK106 SK105 SK104 SK111 SK110 SK101 SK100 SK99 SK98 SK97 SK96 SK103 SK102

SK126 SK125 SK124 SK123 SK122 SK121 SK120 SK127 SK118 SK117 SK116 SK115 SK114 SK113 SK112 SK119

107

Improved Cryptanalysis of the Common Scrambling Algorithm Stream Cipher Leonie Simpson1 , Matt Henricksen2 , and Wun-She Yap2 1

Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane Qld 4001, Australia [email protected] 2 Institute for Infocomm Research, A*STAR, Singapore {mhenricksen,wsyap}@i2r.a-star.edu.sg

Abstract. This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm stream cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed. Correcting this flaw increases the complexity of that attack so that it is worse than exhaustive key search. Although that attack is not feasible, the reduced state size of our representation makes it obvious that CSA-SC is vulnerable to several generic attacks, for which feasible parameters are given. Keywords: Digital Video Broadcasting, Common Scrambling Algorithm, Stream Cipher, Cryptanalysis.

1

Introduction

The Digital Video Broadcasting Common Scrambling Algorithm (CSA) has been used to encrypt European cable digital television signals since 1994. It was specified by the European Telecommunication Standards Institute (ETSI), and the proprietary algorithm was distributed to cable TV subscribers in the form of a hardware chip. Although some high-level details appear in patents [3], the algorithm has never officially been revealed. In 2002, a software program that implemented the algorithm was released in binary form. This was reverse engineered by hackers who released the details of the CSA algorithm. The CSA algorithm can be considered as the application of two cipher layers: a stream cipher layer and a block cipher layer. For encryption, the block cipher is applied first, followed by the stream cipher layer. For decryption, the stream cipher layer is applied first, followed by the block cipher layer. Both the block and stream ciphers are initialized using the same 64-bit key. We do not consider C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 108–121, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Improved Cryptanalysis of the CSA-SC

109

the block cipher component within this paper. The stream cipher component is a binary additive stream cipher. We refer to the keystream generator for the stream cipher component of the CSA algorithm as CSA-SC. The CSA-SC structure comprises two nonlinear Feedback Shift Registers (FSRs), a combiner with memory and an output function. In the patent application [3], the total internal state size of CSA-SC is described as 107 bits. In previous analysis of CSA-SC, Weinmann and Wirt [8] showed that it can be modelled using 103 bits, and note that the period of the keystream produced by CSA-SC is upper bounded by 2103 . In this paper, we provide a new representation of CSA-SC that uses only 89 state bits. Consequently the maximum CSA-SC keystream period must be much less than the 2103 bits asserted by Weinmann and Wirt [8], with an upper bound of 289 bits. This significant reduction in state size also has implications for the security of CSA-SC. Weinmann and Wirt [8] presented an analysis of CSA-SC and proposed a guess-and-determine attack with complexity less than 245 , based on their 103 bit CSA-SC representation and predicated on the state cycle structure of one of the FSRs during keystream generation. They claimed that the state cycle structure for this FSR consists of many leading paths and short cycles, with experimental simulation to support this conjecture. However, in examining the cycle structure of the FSR when developing our 89-bit model, we identified that there are no leading paths to cycles, and short cycles were not readily located, implying that the Weinmann-Wirt attack can not work as claimed. We present our model of the CSA-SC in Section 2. In Section 3, we provide theoretical observations about the state update functions used in CSA-SC. These observations contradict the results presented by Weinmann and Wirt [8], but show that there are security vulnerabilities that can be exploited in cryptanalytic attacks. Section 4 describes an exploration of the FSR state cycle structure. This is motivated by the discrepancy between our observations and the results presented in [8]. Section 5 discusses several possible attacks on CSA-SC. In Section 5.1, the analysis of CSA-SC in [8] is summarized, and the problem with their attack is discussed. In Section 5.2, the vulnerability of CSA-SC to time-memory tradeoff attacks is demonstrated. Section 6 presents some closing remarks on the security of CSA-SC.

2

Specification of the CSA-SC

CSA-SC comprises two FSRs and a combiner with memory. These are denoted FSR-A, FSR-B and FSM-C, respectively. For our representation of CSA-SC, FSR-A and FSR-B each have ten stages, with each stage containing one four-bit word (a nibble). The combiner FSM-C consists of two stages, each containing a nibble, and a single-bit carry. The total state size is 89 bits. Figure 1 shows a high-level view of the relationships between components of the CSA-SC during keystream generation. During keystream generation, FSR-A is autonomous. The state update function for FSR-A is nonlinear, with the output of the s-box SA used in calculating

110

L. Simpson, M. Henricksen, and W.-S. Yap

Fig. 1. High-level view of the relationship between components during CSA-SC keystream generation

the next state value. Nonlinear outputs from FSR-A are also used as input to the update functions of both FSR-B and FSM-C, by providing all of the input to s-boxes SB , SD , SP , and SQ . The outputs of SB and SP are used to modify FSR-B, and the outputs of SD and SQ are used to modify FSM-C. The specific state update functions for each component and the keystream output function are described in greater detail in Section 2.1. The notation used in this paper is as follows. Let At represent the contents of FSR-A at time t. Then Ati,j represents bit j of the ith stage of FSR-A at time t t, where i ∈ {0, 1, . . . , 9} and j ∈ {0, 1, 2, 3}. Similarly, Bi,j represents bit j of the ith stage of FSR-B at time t. At time t, the contents of the two four-bit t stages of FSM-C are denoted Di,j , where i ∈ {0, 1} and j ∈ {0, 1, 2, 3}, and the contents of the one-bit carry are denoted ct . According to ETSI conventions, the most significant bit of a stage is denoted by index 0. Binary addition and modular addition in Z24 are represented by ⊕ and  operators, respectively. ROLx represents word rotation to the left by x bits. c||D represents the concatenation of bit c and word D. For example, 0||1001 = 01001. 2.1

Generating Keystream

When the keystream generator is clocked at time t, FSR-A, FSR-B and FSM-C are simultaneously clocked. FSR-A is autonomous, and contributes to the state update functions of FSR-B and FSM-C. Nonlinear combinations of values stored in FSR-A stages, obtained through the use of various s-boxes, are used in the state update functions of all components. S-boxes SA , SB and SD each take twenty-bit inputs from FSR-A and provide 4-bit outputs. S-boxes SP and SQ take 5 bits of input from FSR-A, and each produce a 1-bit output. Specific details regarding the s-boxes are contained in Appendix A. The state update functions for the CSA-SC components are as follows:

Improved Cryptanalysis of the CSA-SC

Ati = At−1 i−1 At0 = At−1 ⊕ SA (At−1 ) 9

1≤i≤9

t−1 Bit = Bi−1 t B0 = ROLSP (At−1 ) (B6t−1 ⊕ B9t−1 ⊕ SB (At−1 ))

1≤i≤9

111

t−1 D1t = D  0 t−1 t−1 c ||D1 if SQ (At−1 ) = 0 ct ||D0t = t−1 t−1 t−1 SD (A )  D1  c if SQ (At−1 ) = 1

The keystream is produced as a series of 2-bit words. The contents of FSR-A, FSR-B and FSM-C all contribute to the keystream output word z t . To facilitate effective cryptanalysis, we consider the formation of z t based on an intermediate word, denoted wt . The 4-bit intermediate word wt and the 2-bit keystream output z t are obtained as follows: wt = SD (At−1 ) ⊕ FC (B t−1 ) ⊕ D1t−1 z t = f (wt  2)||f (wt mod 22 )



where f (x) =

0 if x = 0 or x = 3 1 if x = 1 or x = 2

The function FC produces four bits of output, with each output bit formed t from a linear combination of four bits from FSR-B. Specifically, FC (B t ) = (B2,0 ⊕ t t t t t t t t t t t t B5,1 ⊕ B6,2 ⊕ B8,3 )||(B5,0 ⊕ B7,1 ⊕ B2,3 ⊕ B3,2 )||(B4,3 ⊕ B7,2 ⊕ B3,0 ⊕ B4,1 )||(B8,2 ⊕ t t t B5,3 ⊕ B2,1 ⊕ B7,0 ). 2.2

A Note on Previous Representations

In the DVB patent [3], the CSA-SC algorithm is defined as having a state of 107 bits. This representation facilitates an efficient hardware implementation. The CSA-SC representation of Weinmann and Wirt [8] reduced the state size from 107 to 103 bits. Our representation obtains a further reduction in the state size to 89 bits, by removing the 4-bit memories X, Y , and Z and one-bit memories p and q from the representation used by Weinmann and Wirt. These memories hold the outputs of s-boxes at time t, and are used in the state update function at time t + 1 to form feedback. In this representation, none of the s-boxes use the final stage of FSR-A, A9 . When the state update function is applied to FSR-A, the contents of At0..8 are shifted to become At+1 1..9 . All of the values required to calculate the feedback at time t remain in the FSR at time t + 1, so the memories, while useful in constructing efficient hardware, are not required in an equivalent representation of the shift register. In the equivalent representation, the indices of the stages used as inputs to the s-boxes must be incremented by one.

112

L. Simpson, M. Henricksen, and W.-S. Yap

Note that in the original representation, the initial value of all memories is zero. For our representation, this necessitates a special case for the first clock of the key initialization process where the output of the s-boxes must be treated as zero irrespective of their inputs. Although this may not be the most efficient hardware implementation, it permits a cryptographically equivalent representation of CSA-SC using only 89 bits. Neither our work nor that of Weinmann and Wirt considers the key initialization during cryptanalysis, so we omit the details of the initialisation process in this paper. There are several errors in the specification given in the work of Weinmann and Wirt [8], which we correct in Appendix A of this paper.

3

Some Observations on CSA-SC

In this section, we make some observations regarding CSA-SC. Firstly, in Section 3.1, we show that during keystream generation the state update functions of both FSR-A and FSR-B are invertible. That is, given the state of the two FSRs at time t + 1, the corresponding FSR states at time t can be uniquely determined. This contradicts the claims of leading paths to short cycles made by Weinmann and Wirt [8], motivating our exploration of the FSR-A state cycles presented in Section 4. Secondly, in Section 3.2 we make observations regarding the ratio of the CSA-SC state size to the key size, which indicates a vulnerability to a generic style of attack. 3.1

State Update Functions during Keystream Generation

The state update functions for FSR-A and FSR-B are invertible. As FSR-A is autonomous during keystream generation, but FSR-B is dependant on FSR-A, it is necessary to establish that the state update function for FSR-A is invertible before examining the state update function for FSR-B. Following this, the conditions under which the FSM-C may be inverted are also presented. The state update function for FSR-A makes use of SA , a 20 × 4 s-box. Although SA itself is not bijective, the FSR-A state update function is nevertheless invertible because (rearranging the state update function in Section 2.1): At−1 = Ati+1 0≤i≤8 i t−1 A9 = At0 ⊕ SA (At−1 ) That is, for the inversion, the register contents are shifted back one stage, rather than forward, and the contents of the last stage, A9 , are computed from the contents of At0 and the output of SA at time t − 1. Now given that SA (At−1 ) t−1 takes as input 20 bits from At−1 , including the two bits At−1 9,0 and A9,1 , this initially appears to cause a circular dependancy. However, if SA is considered as the concatenation of four 5-input Boolean functions, then the ouput of each of these functions can be computed individually and the dependency avoided. Table 3 in Appendix A shows the stages of FSR-A which provide the inputs t−1 to each of the four Boolean functions. At−1 9,0 and A9,1 depend upon the input

Improved Cryptanalysis of the CSA-SC

113

sets s3 and s2 , respectively. Only bits in stages 1-6 and 8 of At−1 (equivalent to stages 2-7 and 9 of At ), are required, and these are already known. At−1 9,2 and At−1 depend upon the input sets s and s , respectively. These input sets 1 0 9,3 t−1 t−1 t−1 include At−1 9,0 and A9,1 . Therefore, if A9,0 and A9,1 have been calculated, then t−1 t−1 A9,2 and A9,3 can also be calculated, obtaining the state At−1 in its entirety. As the state update function for FSR-A is invertible, if the state of FSR-A is known at time t, then all future and previous states of FSR-A during keystream generation can be easily calculated. It follows from the invertibility of FSR-A and the use of only a linear combination of the stages of FSR-B in the state update function for FSR-B that the state update function of FSR-B can also be inverted, once At−1 is obtained, as follows: t Bit−1 = Bi+1 0≤i≤8 t−1 B9 = ROL3−SP (At−1 ) (B0t ) ⊕ B6t−1 ⊕ SB (At−1 ) = ROL3−SP (At−1 ) (B0t ) ⊕ B7t ⊕ SB (At−1 )

That is, given the internal state of FSR-A and FSR-B at time t during keystream generation, all previous and future state values for these two feedback shift registers can be calculated. The final component to consider is FSM-C. From the FSM-C state update function, D0t−1 = D1t . However, the value of ct−1 ||D1t−1 is dependent on the values of ct , D0t and At−1 . When SQ (At−1 ) = 0, then given Dt and ct , it is obvious that ct−1 ||D1t−1 = ct ||D0t . However, when SQ (At−1 ) = 1, the calculation of ct−1 ||D1t−1 is more complex, due to the use of integer addition rather than XOR. Consider the case where SQ (At−1 ) = 1. As ct ||D0t = SD (At−1 )  D1t−1  ct−1 , clearly D1t−1  ct−1 = ct ||D0t − SD (At−1 ), where the addition and subtraction are integer rather than bitwise operations. There are two possible values for ct−1 , so this provides two possible values for ct−1 ||D1t−1 . The intermediate keystream word wt is given by wt = SD (At−1 )⊕FC (B t−1 )⊕ t−1 D1 , and wt , SD (At−1 ) and FC (B t−1 ) are all known, but D1t−1 is unknown. However, the sum D1t−1  ct−1 is known. The contribution of ct−1 to D1t−1  ct−1 is in the least significant bit, but as the addition is integer addition, this raises the possibility of carry to the next bit position, and so on. That is, if ct−1 = 1 and the least significant bit of D1t−1 = 1, then the least significant bit of the integer sum will be 0, and the influence of ct−1 is carried to the next position. However, where the least significant bit of the integer sum is 1 (that is, the sum is an odd value), clearly the value of ct−1 and the value of the least significant bit of D1t−1 are not the same, so there is no possibility that the influence of ct−1 extends beyond that least significant bit position. The 2-bit keystream output z t is useful in discovering whether the two least significant bits in D1t−1 are the same (00 or 11) or different (01 or 10). Combining this knowledge with a known odd value of D1t−1  ct−1 enables a unique value of ct−1 ||D1t−1 to be determined. Note that FSM-C is the only section of the CSA-SC internal state where the state cycle mapping may involve branching. If SQ (At−1 ) = 0 there is a unique

114

L. Simpson, M. Henricksen, and W.-S. Yap

previous state. However, if SQ (At−1 ) = 1 then a unique previous state exists only if D1t−1  ct−1 = ct ||D0t − SD (At−1 ) is odd, and known keystream bits can be used to determine this unique state. Otherwise, there are two possible prior states for the combiner. 3.2

The Ratio of State Size to Key Size

The CSA-SC key initialization uses the combination of a 64-bit key and 64bit IV to populate the 89-bit state in preparation for keystream generation. That is, the initialisation function takes 128 bits of input and produces an 89-bit output: the CSA-SC initial state at the start of keystream generation. Although this paper does not consider the specific details of the initialisation function, clearly there exist multiple key-IV pairs that produce the same internal state at the start of keystream generation, and hence the same keystream. That is, the use of different keys does not guarantee the production of different keystreams. Even for a single 64-bit key, clearly there are multiple IVs for which the initial 40-bit state of FSR-A will be the same. As the nonlinearity of the functions used in CSA-SC is largely determined by the contents of FSR-A, CSA-SC may be vulnerable to divide and conquer attacks which target FSR-A. The small CSA-SC state size also indicates a potential vulnerability to timememory-data (TMD) tradeoff attacks. These known-plaintext attacks can be used to identify either the internal state of CSA-SC, or the key. These attacks are discussed in greater detail in Section 5.

4

Exploring the State Cycles of FSR-A

In Section 3.1, the state update function of FSR-A is shown to be invertible. Therefore every state of FSR-A has exactly one previous state and exactly one successor state. Consequently, there is either one cycle of length 240 in the FSRA state space or there are multiple disjoint cycles. It is possible that some of these may be short cycles. There can be no overlapping cycles, and there are no cycles with leading paths. Floyd’s algorithm [6] can be used to detect cycles. This simple algorithm, when applied to FSR-A of CSA-SC, detects a single cycle using the following steps: Algorithm FA 1. Initialize two instances A0 and A1 of FSR-A with the same initial state s 2. Set counter l to 0. 3. Do (a) Clock A0 once. Increment counter l. (b) Clock A1 twice. while state(A0 ) is not equal to state(A1 ). 4. Output l as the length of the cycle.

Improved Cryptanalysis of the CSA-SC

115

Applying Floyd’s algorithm to comprehensively map all of the cycles produced by FSR-A using the following algorithm raises a problem in detemining which values of s to select. Algorithm A 1. Set t to 240 . 2. Do (a) Choose unique value of s. (b) Invoke Floyd’s algorithm (Algorithm FA) for s, which outputs cycle length l for state s. (c) Decrement t by the value of l. while t > 0. A naive memoryless approach is to begin with s = 0 and increment s until s = 240 − 1. This which ensures that all cycles are mapped, but the running time of the process, at O(280 ), makes this infeasible. A modification to the algorithm, using a time-memory tradeoff, tracks the state values visited (using a one-bit flag per state). During each invocation of Floyd’s algorithm, the value s is chosen from the complement of the set of visited states. The running time of this algorithm is 240 · c, but the storage requirement is 240 × log2 240 bits = 2.3 terabytes. In practice, this version of the algorithm must be implemented using hard disks, which have high latency, so that the constant c becomes quite large. The storage requirements can be improved by tracking and storing only “distinguished points”. For example, states with an 8-bit prefix consisting of 0 bits may be considered “distinguished”. This reduces disk usage by a factor of 28 . However, the algorithm will not detect any cycles that traverse only non-distinguished points. Since Weinmann and Wirt [8] claim the existence of small cycles, we do not want to take this approach. A possible compromise is to use the first approach, in which at iteration i, si = i, but with a slight modification to include early stopping criteria. If Floyd’s algorithm traverses over state j < i at iteration i, then the cycle has been visited previously and the algorithm aborts early. Similarly, if the cycle length l is larger than the state space not so far searched, then the algorithm has rediscovered a cycle and aborts. Given that we know there are no leading paths, the algorithm can be optimized by using a single instance of FSR-A, with a stopping condition that a cycle has been found when the starting point is traversed for the second time. Algorithm FA-M 1. Initialize an instance A of FSR-A with the initial state s. 2. Set counter lc to 0, lmax to t. 3. Do (a) Clock A once. (b) Increment counter lc . (c) If lc > lmax then abort. while state(A) is not equal to initial state s.

116

L. Simpson, M. Henricksen, and W.-S. Yap Table 1. Cycles identified in FSR-A State Space Cycle number Cycle length Cycle length (log 2) 1 307,080,986 28.19 2 783,472,466 29.52 3 10,152,192,874 33.24 4 14,199,085,442 33.72 5 36,257,653,742 35.08 6 78,922,935,703 36.20 7 225,691,600,544 37.72 8 308,063,543,688 38.16 9 424,911,536,585 38.63 Total 1,099,289,102,030 39.9997

4. Output lc as the length of the cycle The running time of the FA-M algorithm varies depending on the length of the cycles that it finds. The results of our search are shown in Table 1. They were generated using several Intel Core Duo machines. Each core is capable of iterating through 238 states per day. The identification of nine large cycles in conjunction with the observation that the update function is invertible provides strongly contradictory evidence to the claims of Weinmann and Wirt [8] that 98% of the state space of FSR-A can be partitioned into very short cycles.

5

Cryptanalysis of CSA-SC

Observations made in Section 3.2 indicate CSA-SC may be vulnerable to two common styles of attack. The dependence of other components on the autonomous 40-bit FSR-A for nonlinearity indicates the potential for divide and conquer style attacks which target FSR-A. The ratio of the state size to the key size indicates a vulnerability to a generic style of attack known as Time-Memory Tradeoff (TMTO) attack. The attack in by Weinmann and Wirt [8] targets FSRA, and is reviewed in Section 5.1. The application of TMTO attacks to CSA-SC is discussed in Section 5.2. 5.1

The Weinmann and Wirt Attack

A guess-and-determine attack on CSA-SC which targets FSR-A is presented by Weinmann and Wirt [8]. The aim of the attack is to recover the internal state of the cipher during keystream generation, when FSR-A is autonomous. The attack complexity is claimed to be less than 245 . We explain the flaw in this attack and show that, when the flaw is corrected, the attack performance is actually worse than exhaustive key search. The attack is performed in three phases. In the first phase, the attacker guesses 53 bits of state comprising FSR-A, FSM-C and the 4-bit memory X used by

Improved Cryptanalysis of the CSA-SC

117

Weinmann and Wirt [8] for their 103-bit CSA-SC representation. Because each output bit of FC is a linear combination of bits within FSR-B, and these output bits are linearly combined to form the keystream, a system of equations can be formed relating the keystream bits to the unknown contents of FSR-B. The second phase of the attack solves this system of equations using Gaussian elimination. The third phase of the attack comprises consistency checking to establish the veracity of guesses made in the first phase. If the consistency checking fails, the guess in the first phase is considered incorrect and a new guess is made. Otherwise, the attack terminates and the combination of the 53-bit guess and the solution to the equation system is used to recover the initial internal state. The cost of the first phase is 253 operations. In the second phase, a system of equations containing 60 equations in 40 unknowns is developed, which can be solved using Strassen’s algorithin in 217.7 operations. The cost of the third phase is negligible. The total complexity of the state recovery attack is therefore around 270.7 operations, which is about one hundred times worse than a brute-force key search on the 64-bit key. Weinmann and Wirt [8] claimed to have identified numerous short cycles produced by the FSR-A feedback function. They performed 10,000 random initializations of the cipher, and found that for 98.4% of cases, those key-IV pairs led to FSR-A state cycles with lengths of between 108 and 121,992. This lead to the assumption that for any key-IV pair, the effective state space for FSR-A is equal to the sum of the lengths of those short cycles, with 98.4% probability. An attacker does not know the key, so must guess FSR-A states from all of the points on all of the short cycles. Ignoring leading paths, this gives a total of 313,169 possibilities. Therefore, Weinmann and Wirt[8] claim that the cost of the first phase is reduced to 219 × 29 , where the second term is the cost of guessing the memories and registers in FSM-C. The optimisation of the guessing phase of the divide and conquer attack is necessary in order for the attack to be faster than exhaustive search. However, both the theoretical observation in Section 3.1 that no leading paths exist because the FSR-A feedback function is invertible, and the empirical results in Section 4 that demonstrate the FSR-A state cycles form a small number of disjoint large cycles show that the basis for the optimisation is unfounded. Thus the performance of Weinmann and Wirt’s attack is worse than exhaustive key search, unless further optimizations are identified. 5.2

Time-Memory Tradeoff Attacks

As the TMTO approach is well known, it is not described here. Instead, we refer the reader to the work of Hong and Sarkar [7] for a description of the phases of TMTO attacks. Our analysis aims to determine the feasibility of applying TMTO attacks to CSA-SC given the constraints on the amount of keystream available to an attacker. The specification for Digital Video Broadcasting indicates that keystream is propagated at a maximum rate of 64 Mb/s, and that rekeying occurs at least every 120 seconds. Therefore, for a single key-IV pair, assume

118

L. Simpson, M. Henricksen, and W.-S. Yap

that an attacker has access to about D = 233 bits of data. We consider possible tradeoffs for two styles of TMTO. The first style of TMTO attack is one in which the attacker attempts to invert the CSA-SC keystream to recover the internal state. For this style of attack, the attacker must satisfy the time-memory-data tradeoff curve N 2 = T M 2 D2 for T ≥ D2 and T < 2K , where N = 289 is the total number of states, T is the time taken to execute the attack, and M is the amount of memory required to store precomputed tables. The value 2K = 264 represents the computational effort required to launch a brute force attack. The attacker is unable to make use of all available data since T ≥ D2 implies that T > 2K . Reasonable parameters are therefore D = 225 , T = 250 and M = 239 , for which the attacker requires around 6 terabytes of disk space. This is feasible by today’s standards. If the key initialization function was invertible, then the recovered internal state could be used to derive the key. However, this does not seem to be the case. Therefore this attack is of limited use, since frequent key-IV rekeying is mandatory within the DVB specification, and this attack must be performed on the keystream segment obtained after each rekeying. The second style of TMTO attack attempts to invert the CSA-SC keystream to recover the key. For this style of attack, the state size is immaterial. The same time-memory-data tradeoff curve holds, but N now refers to the number of possible key+IV values, rather than the number of possible internal states. Here, N = 264+64 . Taking the Dunklemann-Keller approach [4], the attacker prepares different tables for many IVs in the precomputation phase. This removes the restriction that T ≥ D2 , at the expense of reducing the success rate of the attack if the right IVs are not used. Due to the larger size of N , the computational complexity of this attack is inferior to the first, with one possible parameter set being D = 248.5 , T = 253 , M = 253 . However, as this is key recovery rather than state recovery, the stipulation for frequent rekeying does not present a limitation. Therefore, any proposed key recovery attack on CSA-SC with time complexity greater than T=253 should be regarded as unnecessary unless the data and memory requirements are much less than those given for this TMD attack.

6

Discussion and Conclusion

In this paper we provide a new representation of CSA-SC that uses only 89 state bits, a significant reduction over the 107 bits and 103 bits used for previous representations. Theoretical observations about the state update functions of components of CSA-SC contradict the empirical results presented in previous research [8], motivating an exploration of the state cycles for FSR-A. Our FSR-A state-cycle findings raise doubts about the validity of the optimisation required in order for the divide and conquer attack presented by Weinmann and Wirt [8] to be successful. It appears that the complexity of that state recovery attack is not around 245 , as claimed, but in fact worse than exhaustive key search. Even applying their approach to our representation of CSA-SC,

Improved Cryptanalysis of the CSA-SC

119

where the state size is reduced because the memory X is redundant, results in an overall attack complexity of about 266.7 operations. This is about thirteen times worse than brute force attack and several orders of magnitude worse than TMTO attacks, although with the memory requirement is less than for the TMTO attacks. The reduction in the state space obtained in our model indicates that CSA-SC is vulnerable to TMTO attacks. Given a keystream segment produced from a single key-IV pair, a state recovery attack is possible with data, time and memory parameters of D = 225 , T = 250 and M = 239 , respectively. Additionally, for an increased data value obtained by taking keystream segments formed from a single key, but possibly multiple known IVs, a key recovery attack is possible, with data, time and memory requirements of D = 248.5 , T = 253 , M = 253 , respectively. This application of a generic attack style to CSA-SC shows that CSA-SC is vulnerable to cryptanalytic attack. The attacks discussed in this paper made no use of the CSA-SC initialisation process. Exploring the initialisation process may reveal weaknesses that will lead to improved attacks on this cipher. Additionally, it may be possible to improve the performance of divide and conquer attacks targeting FSR-A by reducing the complexity of determining whether guessed FSR-A and FSM-C states are correct. This could be accomplished, by using a distinguisher, and only proceeding to solving the system of equations to recover the contents of FSR-B for a correct guess. We examined the cipher with respect to differential and linear attacks, and to guess-and-determine attacks. Even though the s-boxes are far from optimal with respect to differential and linear attacks, the fact that in each clock cycle, half of the bits in FSR-A are passed through s-boxes makes it difficult to utilize the s-box biases; ie. the diffusion in the register is good. Likewise, this means that a large number of bits must be guessed in order to determine a single nibble in the register, and a straightforward guess-and-determine approach is ineffective in reducing the complexity of an attack below 253 operations, even considering the effective reduced state size. Although there are generic attacks that apply to CSA-SC, it appears that the attack strategy of Weinmann and Wirt [8] does not succeed in key recovery with better complexity than brute force. Acknowledgements. Thanks to anonymous referees for their valuable comments. Thanks also to Yian Chee Hoo for his spare computer cycles.

References 1. Anonymous. CSA - known facts and speculations (2003), http://csa.irde.to 2. Bernstein, D.J.: Costs of cryptanalytic hardware, Posting to ECRYPT eSTREAM forum, August 21 (2005), http://www.ecrypt.eu.org/stream/phorum/read.php?1,95,95#msg-95 3. Bewick, S.: Descrambling DVB data according to ETSI common scrambling specificiation. UK Patent Application GB2322995A (1998)

120

L. Simpson, M. Henricksen, and W.-S. Yap

4. Dunkelman, O., Keller, N.: Treatment of the Initial Value in TMTO Attacks. In: SASC 2008: The State of the Art of Stream Ciphers, Lausanne, Switzerland, pp. 249–258 (2008) 5. FFDeCSA 1.0.0 implementation, http://www.dvbsupport.net/download/index.php?act=view&id=129 6. Floyd, R.: Non-deterministic Algorithms. Journal of the Association for Computing 4(14), 636–644 (1967) 7. Hong, J., Sarkar, P.: New Applications of Time Memory Data Tradeoffs. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005) 8. Weinmann, R.-P., Wirt, K.: Analysis of the DVB Common Scrambling Algorithm. Communications and Multimedia Security. In: Proceedings of the 8th IFIP TC6 TC-11 Conference on Communications and Multimedia Security (CMS 2004). Springer, Heidelberg (2004)

A

CSA-SC S-Boxes

CSA-SC has not been published by ETSI. Information has been revealed in patents [3] and by reverse engineering of implementations; see, for example, [5]. The specification by Weinmann and Wirt [8] is the best academic description of CSA-SC in the public literature to date but contains multiple errors; including a misprint in the table that specifies inputs from FSR-A into the s-boxes, and incorrect ANFs for the component boolean functions of the s-boxes. We give the (hopefully) correct versions below. Table 2 describes the s-boxes referred to in Section 2. Each s-box is built from 5-input boolean functions. S-boxes SA , SB and SD are each constructed from four boolean functions, while s-boxes SP and SQ are each built from a single boolean function. These boolean functions are denoted Fi (sj ) in the following tables, where i denotes the function index and sj denotes the jth set of FSR-A positions which provide the five inputs to Fi . The FSR-A positions for the 5 inputs xi , 0 ≤ i ≤ 4 are given in Table 3. The boolean functions are given in Algebraic Normal Form in Table 4. For example, the most significant output bit of s-box SA is F6 (s3 ), where F6 is 1 + x0 + x1 + x5 + x0 ·x4 ...+ x0 x1 x2 x3 x4 x5 , and from the definition of s3 in Table 3, x0 = A3,3 , x1 = A1,1 , x2 = A2,3 , x3 = A4,2 and x4 = A8,0 .

Table 2. S-boxes used in our model of CSA-SC S-box Input Size (bits) Output Size (bits) Output SA 20 4 F6 (s3 )||F4 (s2 )||F3 (s1 )||F1 (s0 ) SB 20 4 F10 (s5 )||F8 (s4 )||F7 (s3 )||F5 (s2 ) SD 20 4 F2 (s1 )||F0 (s0 )||F11 (s5 )||F9 (s4 ) SP 5 1 F13 (s6 ) SQ 5 1 F12 (s6 )

Improved Cryptanalysis of the CSA-SC

121

Table 3. Inputs from FSR-A into the S-box boolean functions Function input x0 s0 A4,0 s1 A2,1 s2 A1,3 s3 A3,3 s4 A5,2 s5 A3,1 s6 A2,2

x1 A1,2 A3,2 A2,0 A1,1 A4,3 A4,1 A3,0

x2 A6,1 A6,3 A5,1 A2,3 A6,0 A5,0 A7,1

x3 A7,3 A7,0 A5,3 A4,2 A8,1 A7,2 A8,2

x4 A9,0 A9,1 A6,2 A8,0 A9,2 A9,3 A8,3

Table 4. Algebraic Normal Forms of 5-input Boolean functions Fi , 0 ≤ i < 14 i Algebraic Normal Form of Fi 0 1 + x 4 + x 3 + x 3 x4 + x2 x4 + x2 x 3 + x1 x4 + x 1 x3 + x1 x 2 + x1 x2 x 4 + x1 x2 x 3 + x0 + x0 x3 x4 + x0 x2 + x 0 x2 x3 + x0 x1 + x 0 x 1 x3 + x 0 x 1 x3 x4 + x 0 x1 x2 + x 0 x1 x2 x 3 1 x3 + x2 x4 + x1 + x1 x4 + x1 x3 x 4 + x0 x4 + x0 x1 + x0 x 1 x3 + x0 x1 x 2 + x0 x1 x2 x 4 2 1+x4 +x3 +x2 x4 +x2 x3 +x2 x3 x4 +x1 +x0 x2 x3 +x0 x1 x4 +x0 x1 x3 +x0 x1 x3 x4 + x0 x1 x2 3 1 + x3 + x2 + x2 x4 + x 1 x3 x4 + x1 x2 x 4 + x0 x3 x 4 + x0 x2 + x0 x1 + x 0 x1 x3 x 4 + x0 x1 x2 x4 4 1 + x4 + x3 + x2 x4 + x2 x3 + x2 x 3 x 4 + x1 + x1 x4 + x1 x 3 + x1 x 3 x4 + x1 x2 + x1 x2 x3 + x 0 + x 0 x3 + x0 x3 x 4 + x0 x 2 + x0 x2 x 4 + x0 x2 x 3 + x0 x 2 x 3 x4 + x 0 x 1 x4 + x0 x1 x2 + x0 x1 x2 x3 5 x3 + x3 x4 + x2 x4 + x1 + x0 6 1 + x 4 + x 3 x4 + x2 + x2 x3 x4 + x1 + x1 x2 x 3 + x0 + x0 x 4 + x0 x3 + x0 x2 x3 x 4 + x0 x1 + x0 x1 x4 + x 0 x1 x3 x4 + x 0 x1 x2 + x0 x1 x2 x 3 7 1 + x 3 + x3 x4 + x 2 + x1 x4 + x 1 x 3 x 4 + x 1 x2 + x 0 x4 + x0 x3 + x0 x2 x 3 x 4 + x 0 x 1 + x0 x1 x4 + x 0 x1 x3 x4 + x0 x1 x2 + x0 x1 x2 x 3 8 1+x4 +x3 +x3 x4 +x2 x4 +x2 x3 +x2 x3 x4 +x1 +x1 x4 +x1 x3 x4 +x1 x2 x4 +x1 x2 x3 + x0 x4 + x0 x3 + x0 x2 + x0 x2 x 3 + x0 x2 x 3 x 4 + x0 x1 x 4 + x0 x1 x3 + x0 x 1 x2 x4 + x0 x1 x2 x3 9 x3 x4 + x2 + x2 x4 + x2 x3 x4 + x1 x4 + x1 x3 + x1 x 2 x4 + x0 x 4 + x0 x2 + x0 x2 x 4 + x0 x2 x3 + x 0 x2 x3 x4 + x0 x1 + x 0 x1 x4 + x0 x1 x3 + x0 x1 x 3 x 4 10 x3 + x2 x4 + x1 x3 x4 + x1 x2 + x1 x2 x4 + x0 + x0 x3 x4 + x0 x1 x4 11 x4 +x2 +x2 x3 +x2 x3 x4 +x1 x3 +x1 x2 +x1 x2 x3 +x0 x3 x4 +x0 x2 x3 +x0 x2 x3 x4 + x0 x1 x3 x4 + x0 x1 x2 x3 12 x4 +x3 +x3 x4 +x2 +x1 +x1 x3 x4 +x0 x4 +x0 x3 x4 +x0 x2 +x0 x2 x3 +x0 x2 x3 x4 + x0 x1 x3 x4 + x0 x1 x2 x3 13 x4 + x3 x4 + x2 + x2 x3 + x2 x3 x4 + x1 + x1 x2 + x0 + x0 x1 x3 + x0 x1 x3 x4

Testing Stream Ciphers by Finding the Longest Substring of a Given Density Serdar Bozta¸s1 , Simon J. Puglisi2 , and Andrew Turpin2 1

2

School of Mathematical & Geospatial Sciences School of Computer Science & Information Technology, RMIT University, Melbourne VIC, Australia [email protected], {simon.puglisi,andrew.turpin}@rmit.edu.au

Abstract. Given a string x[1..n] drawn from the alphabet {0, 1}, and a rational density parameter 0 ≤ θ ≤ 1, this paper considers algorithms for finding the longest substring of x with density θ. That is, if the length of the substring is m, the number of one-bits in the substring is exactly θ × m. It is surprisingly difficult to devise an algorithm that has worst case time less than the obvious brute-force algorithm’s O(n2 ). We present three new approaches to reducing the running time, and an algorithm that solves the problem in O(n log n) expected time. We then apply the new algorithm, as well as an empirical estimate of the lim-sup and the lim-inf of a centred statistic which is expected to obey a law of the iterated logarithm, to the randomness testing of (a) the output of the BSD function Random, and (b) the output of the stream cipher Dragon. The results for these outputs warrant further study.

1

Introduction

“A method of producing random numbers should not be chosen at random”−Donald Knuth, in [8]. The security of modern information systems depends on the quality of pseudorandom number generators and the “randomness” of numbers they produce. As such, algorithms that test these generators are of interest – they provide some level of assurance. Randomness testing has been investigated by various authors in the past: Knuth [8] has a good overview of such tests, L’Ecuyer [4] has also considered the same problem, from a different point of view. Other references in this area include The Handbook of Applied Cryptography [10] (see Chapter 5), Marsaglia’s work [9] including his DIEHARD battery of randomness tests, and the recent volume [12] by Neuenschwander. A suite of randomness tests are implemented by the US Government’s NIST [13], and another suite of randomness tests called CRYPT-XS are implemented by the Queensland University of Technology(QUT)’s Information Security Institute [15]. 

This work is supported by the Australian Research Council.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 122–133, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Testing Stream Ciphers by Finding the Longest Substring

123

In this paper we consider algorithms for an easy to state problem that is useful for randomness testing, but which is deceptively difficult to solve in worst case asymptotic time less than an obvious brute-force solution. We discuss the problem of randomness testing and its application to security further in Section 3 and focus on algorithmics below. Throughout we consider a string x[1..n] = x[1]x[2] . . . x[n] of n symbols drawn from a binary alphabet Σ = {0, 1}. We call x[i..j] = x[i]x[i + 1] . . . x[j], 1 ≤ i ≤ j ≤ n a substring of x. A substring x[i..j] is a suffix of x if j = n and a prefix of x if i = 1. The density of a string x is the ratio of the number of one-bits in the string to the length of the string. More formally given a string x and θ = c/d, c and d positive integers c ≤ d, we say a substring x[i..j] is θ-dense (or has density θ) if and only if j − i + 1 = kd and x[i..j] contains kc one-bits, for some positive integer k. Problem 1 (Longest θ-dense substring). Given a string x[1..n] on {0, 1} and θ = c/d, c and d positive integers, with c ≤ d and gcd(c, d) = 1, find the longest substring of x having density θ. In other words, find the largest k such that there is a substring of x of length kd that has kc one-bits. Note that, a string as defined in Problem 1, need not exist, and if it does, the problem is finding it efficiently. Throughout this paper, we use log to denote logarithms to the base 2. The remainder of this paper is as follows. Section 2 considers Problem 1 and gives a basic solution to which we add several heuristics. We show that one of the heuristics leads to a O(n log n) expected time solution to the problem. We discuss randomness testing and display experimental results using the new algorithm in in Section 3. Finally, in Section 4 we offer some reflections and future directions.

2

Locating the Longest Substring with Given Density

An O(n2 ) worst case solution to Problem 1, finding the longest θ-dense substring, is relatively straightforward. Firstly we preprocess x so that we can answer rank queries on x in constant time. The answer to a rank query rankx (i) is the number of one-bits in x[1..i]. A simple data structure to support rank queries is an array of integers containing the a count of the number of one-bits in x up to that position in the array. Such an array can be calculated in a single pass over x, requiring θ(n) time, and the largest element in such an array would be n, requiring at least log n bits of storage, so total space for the auxiliary data structure would be O(n log n). A more sophisticated data structure supporting constant time rank queries can be built in O(n) time and requires n + o(n) bits of extra space [6,11,14]. Once the auxiliary data structure is constructed so rank queries can be answered in constant time, the number of bits in substring x[i..j] can be calculated as rankx (j) − rankx (i − 1), also in O(1) time. Then for each position in the string i ∈ [1..n − d + 1], compute the number of bits in each substring x[i..i+kd], k ∈ [1..(n−i+1)/d] keeping track of the longest substring containing

124

S. Bozta¸s, S.J. Puglisi, and A. Turpin BruteForce (x[1..n],θ = c/d) Set up a rank data structure that computes rankx (i) in O(1) time. Set max ← (0, 0). for i ← 1 to n − d + 1 do Set kc ← c. for j ← i + d − 1 to n in steps of d do if (rankx (j) − rankx (i − 1)) = kc and (j − i > max.j − max.i) then Set max ← (i, j). Set kc ← kc + c. if max  = (0, 0) then output x[max.i..max.j] else no substring found.

Fig. 1. Algorithm BruteForce to find the longest substring of x[1..n] that is θ-dense

kc one-bits. For each position we ask at most O(n/d) rank queries, there are at most n positions, so overall the time spent is O(n2 /d) = O(n2 ). Figure 1 shows some pseudo code for this approach. Given that the rank data structure allows a constant time decision on whether a given substring of length kd contains the necessary number of one-bits, the difficulty with Problem 1 seems to be the number of substrings an algorithm must consider, so any reduction in running time must be gained through a reduction in the number of substrings. This observation is consistent with literature describing O(n) algorithms for finding θ-dense substrings with bounded lengths [7]. In the next two subsections we examine two approaches to reducing the number of substrings considered. 2.1

Exploiting θ-Primitives

It would seem intuitive that long θ-dense strings would contain substrings that were themselves θ-dense. If this were true, then an inductive style algorithm that constructs long θ-dense strings by combining smaller θ-dense substrings should reduce the running time of an algorithm to solve Problem 1. In this regard, we observe the following lemma. Lemma 1. A θ-dense string x of length kd containing exactly kc one-bits must have at least one substring of length d containing c one-bits. Proof. Call a substring of x of length d under or over if it contains less than or more than c one-bits respectively. We proceed with a proof by contradiction. Assume the Lemma is not true, then every substring of x of length d must be either under or over. If all length d substrings were under, then there would be less than kc one bits in x in total; similarly, if all of the length d substrings were over, then there would be more than kc one bits in x in total. Hence, there must be at least one under and one over substring in x as it is θ-dense. Moreover, there must be a point in the string where an over and under substring overlap by d − 1 characters, otherwise all substrings must be under, or all over. Without loss of generality say that position in x where the overlap between an under and an over substring occurs is i+1; that is, x[i..i+d] is under and x[i+1..d+1]

Testing Stream Ciphers by Finding the Longest Substring

125

is over. The substring x[i..i+d] can have at most c − 1 one-bits, as it is under, hence the substring x[i..i+d]x[i+d+1] = x[i..i+d+1] can have at most c one-bits. But if x[i..i+d+1] can have at most c one-bits, it is not possible for its suffix x[i+1..i+d+1] to have more than c bits hence x[i + 1..d + 1] cannot be over. Therefore x cannot consist of only substrings of length d that are a mix of under and over. Therefore x contains a substring of length d that contains c one-bits. 2 We call a θ-dense string of length d a θ-primitive string. It would be nice if the θ-primitive substrings of a string could be used as a base for constructing longer θ-dense substrings. That is, beginning with θprimitives of length d, expand them to θ-dense strings of length 2d, and so on. Unfortunately if x is of length kd and contains kc one-bits, there is no guarantee that it must contain a substring of length (k − 1)d containing (k − 1)c bits. For example, if x = 111000111 and d = 3, c = 2, then the entire string (k = 3) has density 2/3, but there is no substring of length 6 containing 4 one-bits (k = 2). So while any θ-dense string must contain a θ-primitive of length d containing c one-bits, there is no guarantee that it must contain a substring of length 2d containing 2c one-bits. This limits the power of Lemma 1 to reduce the number of substrings that must be considered by any algorithm designed to find the longest θ-dense substring of a string below O(n2 ). Interestingly, Lemma 1 can be used to solve the following (weaker) problem in O(n) time. Problem 2. Given a string x[1..n] on {0, 1} and θ = c/d, c and d relatively prime positive integers, c < d, determine if x has any substrings with density of one-bits equal to θ. Lemma 1 allows us to only check the substrings of length d — if none are present then there can be no longer ones. The substrings of length d can be checked for in O(n) time by sliding a window of size d over x. Although there is no ready inductive argument that might allow an algorithm to identify all θ-primitive regions, and then use them to construct longer substrings in sub-O(n2 ) time, in practice Lemma 1 may provide some useful heuristics that will reduce running time on random strings. Lemma 2. Let i1 and i2 be the positions of consecutive θ-primitive substrings in x. No θ-dense substring can begin after position i1 and end before position i2 + d − 1. Proof. From Lemma 1 we know that any θ-dense substring must contain a θprimitive substring. Any substring beginning after i1 and ending before i2 will not contain a θ-primitive substring, so cannot be θ-dense. 2 If θ-primitives are few and far between, as we might expect in random strings for large d, then this Lemma allows us to discard quite a few substrings from consideration. An algorithm similar to BruteForce, where i and j, the left and right boundaries of possible substrings respectively, move right along x can exploit this. The right boundary, j must be to the right of the closest primitive

126

S. Bozta¸s, S.J. Puglisi, and A. Turpin SkipMisMatch (x[1..n],θ = c/d) Set up a rank data structure that computes rankx (i) in O(1) time. for k ← n/d downto 1 do Set i ← 1, and j ← kd. while i ≤ n − kd + 1 do Set δ ← |kc − rankx (j) + rankx (i − 1)|. if δ = 0 then Set max ← (i, j) and terminate. Set i ← i + δ, and j ← j + δ. Output no suitable substring found.

Fig. 2. Algorithm SkipMisMatch to find the longest substring of x[1..n] that is θdense

to i, if such a primitive exists, allowing j to skip several positions from consideration. For each pair, however, all strings beginning at i and ending at a position greater than j must be checked, so the algorithm still requires O(n2 ) time. The worst case is realised when every position in the string is the end of a θ-primitive; for example, x = 110110110.. when θ = 2/3. 2.2

Exploiting Mismatches

A reversal of the loops in Figure 1 yields an alternate brute force algorithm that for every possible substring length, every position is checked; rather than one that checks every possible length for every position. This simple reversal of loops does not lower the asymptotic cost of Algorithm BruteForce, but it does allow an optimisation, as captured in the following Lemma. Lemma 3. If the number of one-bits, say m, in a substring of length kd beginning at position i, where 1 ≤ i ≤ n − kd + 1, x[i..i + kd − 1], is not equal to kc, then there can be no θ-dense substring of length kd beginning in positions x[i..i + |kc − m|]. Proof. By definition, a θ-dense substring of length kd must contain kc one-bits. If a substring of x of length kd contains only m < kc one-bits, then at least a further kc − m bits must be added to the substring to bring the count of onebits up to kc. That is, the end of the substring must be increased by kc − m positions. In order to remain of length kd, however, the left boundary of the substring must also be increased by kc − m positions, hence it cannot begin in positions x[i..i + (kc − m)]. Similarly, if m > kc, then m − kc zero-bits must be added to the end of x to reduce its density to θ. 2 This lemma allows us to exploit mismatches in windows of length kd in much the same way that pattern matching algorithms such as KMP or Boyer-Moore skip over mismatching areas of text [3]. Algorithm SkipMisMatch outlines the approach. Note that the order of loops is reversed from Algorithm BruteForce, and k decreases from the maximum possible until some θ-dense substring is found. Because

Testing Stream Ciphers by Finding the Longest Substring

127

the algorithm searches from longest to shortest substrings, it can terminate as soon as it has found a θ-dense substring, as there can be no longer such substrings. For each substring considered, if there is an abundance or deficit of one-bits (δ  = 0), then i and j are stepped by the difference as per Lemma 3. The worst case running time of Algorithm SkipMisMatch is still O(n2 ), but the expected running time can be less, depending on the number and size of the skips arising from Lemma 3. Lemma 4. Algorithm SkipMisMatch requires O(n log n) expected time. Proof. Let us assume that the string x has been generated by a source that emits a one-bit with probability p. For some substring of length kd, the expected number of one-bits is p × kd, and the number of one-bits required for a θ-dense substring is θ × kd. The expected value of δ, therefore, is δˆk = |θkd− pkd|. So for each possible k value we expect to skip over δˆk positions for every position examined, so at most n/δˆk positions are examined. Given that examining each position requires O(1) time, The expected time is bounded by n/d

n/d+1  n − kd + 1  n ≤ 1/k = O(n log n), |θ − p|d δˆk

k=1

k=1

2

and the proof is complete. 2.3

Experimental Results on BSD Function Random

In order to confirm that the expected running time of Algorithm SkipMisMatch is sub-O(n2 ) we ran some simple timing experiments on strings generated using

50

1

30

0.501 0.503 0.509 0.513 0.519

2 1

20

Time (secs)

40

1 2 3 4 5

3 4 5

0

10

2

1 2 3 4 2 1 5 55 33 2 44 1 0

1 2 3 4 5

1 2 3 4 5 10

3 4 5

20

30

40

50

60

n (’000,000)

Fig. 3. Mean time taken for Algorithm SkipMisMatch on strings of varying length generated by the BSD function Random (x-axis) when p = 0.5. The values in the legend indicate the θ value used for each run.

S. Bozta¸s, S.J. Puglisi, and A. Turpin

20000 15000 10000 5000

Maximum length of sequence

25000

128

1

2

4

8

16

32

64

128

256

512

n (’000,000)

Fig. 4. Length of the longest θ-dense sequence, generated by Random, where θ = 0.519, p = 0.5. Boxes show 0.25 and 0.75 quantiles, the black line is the median, and whiskers and dots show extreme values. The solid curve is the bound given by the Strong Law of Large Numbers: log(n)/H(0.519, 0.5).

the BSD function random on a Sun Fire V210 Server with 16GB of RAM running Solaris 10, utilising one of the two 1.34 GHz UltraSPARCIII-i processors. Times reported are the CPU time as reported by the Solaris command line time program. Figure 3 shows the mean running time of Algorithm SkipMisMatch, where the mean is over 20 runs with a different random seed for the random function at each run, for various θ values. The standard deviations of each group of runs were very small, and so are not plotted as error bars. The digits labelling the curves represent data points, and the lines are drawn for clarity. In all cases, the time required increases sub-O(n2 ) as n increases. As |θ − p| increases (curves 1 down to 5) the running time of SkipMisMatch decreases accordingly, as the constant of proportionality in the O(n log n) expected running time bound includes 1/|θ − p|. To examine the effect of varying p, we fixed θ at 0.6, and ran 20 runs for various p values, again using new random seeds for each run. The data is consistent with an expected running time of O(|θ − p|−1 n log n). Figure 4 shows some of the lengths of the longest sequences we observed at the output of Random. The plot is consistent with the expectation that the length of the longest sequence is proportional to log(n)/H(θ, p), as discussed in detail in the next section.

Testing Stream Ciphers by Finding the Longest Substring

3

129

Application to Randomness Testing of Stream Ciphers

The eStream project www.ecrypt.eu.org/stream/ is a recently completed project described as a “multi-year effort running from 2004 to 2008 [which] has identified a portfolio of promising new stream ciphers”. An interesting and highly efficient cipher submitted to that project is Dragon [16] designed by researchers at QUT. Dragon has been subjected to extensive randomness testing with no weaknesses identified. While many randomness tests are currently known and used, it is still of interest to look for further tests, since in cryptography, a cipher is considered suspect as soon as its output fails a single well-designed test. Moreover, recent work has shown that the issue of statistical dependence between commonly used tests is quite complicated. In particular some tests output test results which have a much higher correlation than what would be expected if the tests were statistically independent. See Turan et. al. [17] for more details. 3.1

Testing Dragon Using the Erd¨ os-R´ enyi Strong Law of Large Numbers

25000 15000 5000 0

Maximum length of dense sequence

The relevance of Problem 1 to randomness testing comes from the fact that for a random sequence, the statistic computed by Problem 1 has an almost-sure limit as n → ∞. Let X1 , . . . , Xn be a given sequence of {0, 1}−valued random variables and define Ln (θ), the length of the “longest run of 1’s with density θ” by

0

1

2

3

4

5

6

7

8

9

10

log2(n/1,000,000)

Fig. 5. Length of the longest θ-dense sequence, generated by Dragon, where θ = 0.519, p = 0.5. Boxes show 0.25 and 0.75 quantiles, the black line is the median, and whiskers and dots show extreme values. The solid curve is the bound given by the SLLN: log(n)/H(0.519, 0.5).

130

S. Bozta¸s, S.J. Puglisi, and A. Turpin



1 Ln (θ) = max t : ∃i ∈ {0, . . . , n − t}, θ ≤ Xi+k t t

 .

k=1

Erd¨ os and R´enyi [5] have proved the following. Theorem 1. If X1 , . . . , Xn are i.i.d. with P r[Xi = 1] = p, for all θ ∈ (p, 1], we log(n) have Ln (θ) → H(θ,p) , almost surely, where the binary relative entropy is given by H(θ, p) = θ log(θ/p) + (1 − θ) log((1 − θ)/(1 − p)). We now give an intuitive and non-rigorous explanation of what the phrase converges almost surely (implicit in the Theorem above) means. The rigorous definition of this measure-theoretic terminology can be found in many statistics textbooks. If we say that a random quantity Tn converges in probability to a constant T , this means that, for the random sequence Tn , for all ε > 0, the quantity P r[|Tn − T | > ε] goes to zero as n → ∞. But this probability is averaged over all possible realizations of the random sequence (Tn )n≥1 so that there can be some realizations for which the convergence above does not hold, albeit for a vanishing fraction as of all possible realizations n → ∞. If we say that a random quantity Tn almost surely converges to a constant T , this means that, for the random sequence Tn , for all ε > 0, the quantity P r[|Tn − T | > ε] goes to zero as n → ∞ for essentially all possible realizations of the random sequence (equivalently except for a set of probability zero among all possible realizations). It is, however, possible that the rate of convergence of P r[|Tn − T | > ε] to zero depends on the realization. Note that limθ→p H(θ, p) = 0, and that’s why we take θ ∈ (p, 1]. It is relatively simple to obtain an upper bound on this growth rate by using large deviations, see [2], but much harder to get the lower bound and hence the exact growth rate. Using this almost sure growth rate to test the randomness of a given sequence would essentially proceed as follows (for simplicity, we assume the sequence is unbiased, i.e., p = 1/2) which should hold for the output of any good random bit generator. For i = 1, 2, . . . , s compute the length of the longest substring in X1 , . . . , Xni with density θ1 , . . . , θm . Use the theorem to visually observe whether the growth rate of the length of the longest substring is roughly: (i) Proportional to log(ni ), i = 1, . . . , s; and (ii) Inversely Proportional to H(θj , 1/2) for j = 1, . . . , m. As a preliminary experiment to exploit Theorem 1 for solving Problem 1, we could assume a value of p, and assume that string x is long enough for the strong law to be accurate, and only search the string for substrings of length log(n)/H(θ, p). We have done this for the function Random and displayed the results in Figure 4. We have also applied this approach as a preliminary test of the output of Dragon. In particular, for keystream output lengths of 225 + 1000k, with k =

Testing Stream Ciphers by Finding the Longest Substring

131

−6

−4

−2

0

2

Wn Tn

−5000

−3000

−1000

0

1000

3000

5000

n − 225

Fig. 6. The values of the quantities Tn defined in (1) (solid circles) and and Wn defined in (2) for the output of Dragon, where the output length ranges from 225 − 5000 to 225 + 5000 bits at equal intervals of 1000 bits

−5, −4, . . . , +4, +5, we have generated 100 random keys from /dev/random for each nk and used the 100 output keystreams thus generated as input to our algorithm computing the length of the longest substring with density θ = 0.519 assuming p = 1/2. The results look as expected and are plotted in Figure 5. These results are, of course, very preliminary, and extensive testing will follow. Note that we have used a logarithmic plot of the x−axis in Figure 5, hence the straight line of the solid curve, when compared to the curved line of the solid curve in Figure 4. When an x−axis value of Figure 5 is converted to the corresponding x−axis value in Figure 4, the statistical behaviour (in terms of median and dispersion) of Ln (θ) is essentially the same for Dragon and for the BSD function Random. 3.2

Testing Dragon Using the Law of the Iterated Logarithm

A related statistical strong law, described in [1], has also been used to test Dragon, and is described below. Let X1 , X2 , . . . be an i.i.d. sequence of binary random variables with p = P [Xi = 1] = 1 − P [Xi = 0] for all i ≥ 1, and let Sn:t be defined as the maximum number of ones occuring in a window of length t starting within the first n tosses: Sn:t = max (Xi + Xi+1 + · · · + Xi+t−1 ). 1≤i≤n

Assume that a ∈ (p, 1) and use a Law of the Iterated Logarithm from [1] to 

plot the variability of the output of Dragon. Fix θ ∈ (p, 1). With t = t(n) = 

log(n)/H(θ, p) , and the “odds ratio” r = r(θ, p) =

132

S. Bozta¸s, S.J. Puglisi, and A. Turpin 

= p(1 − θ)/(θ(1 − p)), as n → ∞ define centering constants b(n, t) = b(n, t; θ, p) by   θ log n 1 1 2πθ(1 − θ) b(n, t) = − log1/r log(n) − log1/r + log1/r (θ − p). H(θ, p) 2 2 H(θ, p) 

 Sn:t − b(n, t) P lim sup = 1 = 1. log1/r log n n

We then have:

(1)

This means that for  > 0 arbitrarily small and for n large enough if we plot the time series Tn = (Sn:t − b(n, t))/ log1/r log n, Tn will approach arbitrarily closely to 1 from below but never reach it, infinitely often. Similarly

 P lim inf Sn:t − b(n, t) + log1/r log log n = −1 = 1. (2) n

which means that the time series Wn = Sn:t − b(n, t) + log1/r log log n will approach -1 arbitrarily closely from above but never reach it, infinitely often. Interestingly, when we apply this test to Dragon, as seen in Figure 6, Tn (shown as circles) exceeds +1 somewhat but is usually under it, which is reasonable. However, Wn (shown as diamonds) varies around a mean of roughly -5, which may be an indicator of a problem with Dragon. Clearly, this preliminary observation deserves further study.

4

Conclusions and Discussion

In this paper we have presented a new algorithm for finding the longest substring of a given density in a string, and shown that it runs in O(n log n) expected time. Moreover, we have given two alternate approaches to solving the problem: exploiting the idea of θ-primitives as introduced in Lemma 1; and exploiting the bound given by the Strong Law of Large Numbers. While our implementations of these ideas did not decrease running times below those of Algorithm SkipMisMatch for parameterisations that would be typical in randomness testing, both seem promising avenues of exploration. In particular, one ready optimisation for an algorithm that solves the problem could be to check for the existence of any θ-primitive during the construction of the data structure used for rank queries. If no such primitive exists, then no further work is required. This is particularly useful when |θ − p| is large, but is not so useful if the data structure is computed once for a string, but used for many different θ values. For the output of a stream cipher, the assumption p = 1/2 is eminently reasonable, and is tested by the basic frequency test which is O(n) in complexity. Once the cipher passes that test, one can apply the tests developed here. We have presented preliminary results on the output of Dragon which deserves further study.

Testing Stream Ciphers by Finding the Longest Substring

133

Acknowledgements The authors acknowledge the constructive comments by the anonymous referees whose suggestions have improved the presentation of the results in this paper.

References 1. Arratia, R., Gordon, L., Waterman, M.S.: The Erd¨ os-R´enyi Law in Distribution, for Coin Tossing and Pattern Matching. Annals of Statistics 18(2), 539–570 (1990) 2. Arratia, R., Waterman, M.S.: The Erd¨ os-R´enyi Strong Law for Pattern Matching with a Given Proportion of Mismatches. Annals of Probability 17(3), 1152–1169 (1989) 3. Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Comm. of the ACM 20(10), 762–772 (1977) 4. L’Ecuyer, P.: Testing Random Number Generators. In: Proceedings of the 1992 Winter Simulation Conference, pp. 305–313 (1992) 5. Erd¨ os, P., R´enyi, A.: On a New Law of Large Numbers. J. Analyse Math. 22, 103–111 (1970) 6. Gonz´ alez, R., Grabowski, S., M¨ akinen, V., Navarro, G.: Practical implementation of rank and select queries. In: Nikoletseas, S.E. (ed.) WEA 2005. LNCS, vol. 3503, pp. 27–38. Springer, Heidelberg (2005) 7. Greenberg, R.I.: Fast and Space-Efficient Location of Heavy or Dense Segments in Run-Length Encoded Sequences. In: Warnow, T.J., Zhu, B. (eds.) COCOON 2003. LNCS, vol. 2697, pp. 528–536. Springer, Heidelberg (2003) 8. Knuth, D.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1981) 9. Marsaglia, G.: A Current View of Random Number Generators. Computer Science and Statistics: The Interface, pp. 3–10. Elsevier Science, Amsterdam (1985) 10. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996) 11. Munro, J.I.: Tables. In: Chandru, V., Vinay, V. (eds.) FSTTCS 1996. LNCS, vol. 1180, pp. 37–42. Springer, Heidelberg (1996) 12. Neuenschwander, D.: Probabilistic and Statistical Methods in Cryptology: An Introduction by Selected Topics. In: Andr´e, E., Dybkjær, L., Minker, W., Heisterkamp, P. (eds.) ADS 2004. LNCS, vol. 3068. Springer, Heidelberg (2004) 13. National Institute of Standards and Technology, Random Number Generation and Testing, Publication SP-800-22 (visited February 4, 2009), http://csrc.nist.gov/rng/ 14. Okanohara, D., Sadakane, K.: Practical entropy-compressed rank/select dictionary. In: Proceedings of the Ninth Workshop on Algorithm Engineering and Experiments (ALENEX 2007) (visited February 6, 2009), http://www.siam.org/proceedings/alenex/2007/ 15. Queensland University of Technology, Information Security Institute, CRYPT-XS, http://www.isi.qut.edu.au/resources/cryptx/ (visited February 6, 2009) 16. Queensland University of Technology, Information Security Institute, Dragon Stream Cipher, http://www.isi.qut.edu.au/resources/dragon/ (visited February 6, 2009) 17. Turan, M.S., Doganaksoy, A., Bozta¸s, S.: On Independence and Sensitivity of Statistical Randomness Tests. In: Golomb, S.W., Parker, M.G., Pott, A., Winterhof, A. (eds.) SETA 2008. LNCS, vol. 5203, pp. 18–29. Springer, Heidelberg (2008)

New Correlations of RC4 PRGA Using Nonzero-Bit Differences Atsuko Miyaji and Masahiro Sukegawa Japan Advanced Institute of Science and Technology [email protected]

Abstract. RC4 is the stream cipher proposed by Rivest in 1987, which is widely used in a number of commercial products because of its simplicity and substantial security. RC4 exploits shuffle-exchange paradigm, which uses a permutation S. Many attacks have been reported so far. No study, however, has focused on correlations in the Pseudo-Random Generation (PRGA) between two permutations S and S  with some differences, nevertheless such correlations are related to an inherent weakness of shuffle-exchange-type PRGA. In this paper, we investigate the correlations between S and S  with some differences in the initial round. We show that correlations between S and S  remain before “i” is in the position where the nonzero-bit difference exists in the initial round, and that the correlations remain with non negligible probability even after “i” passed by the position. This means that the same correlations between S and S  will be observed after the 255-th round. This reveals an inherent weakness of shuffle-exchange-type PRGA.

1

Introduction

RC4 is the stream cipher proposed by Rivest in 1987, which is widely used in a number of commercial products because of its simplicity and substantial security. Though many cryptanalysis of RC4 have been proposed so far [1,4,13,7,2,12,8,11,9,3,5], it has remained secure under proper use. As a result, RC4 is widely used in many applications such as Secure Sockets Layer (SSL), Wired Equivalent Privacy (WEP), etc. RC4 exploits shuffle-exchange paradigm, which uses a permutation S = (S[0], · · · , S[N − 1]) given in the initial, and outputs 8-bit data in each round by updating the permutation S, where typically each S[i] (i ∈ [0, N − 1]) is 8 bits and N = 256. In more detail, RC4 consists of two algorithms, the Key Scheduling Algorithm (KSA) and the Pseudo Random Generation Algorithm (PRGA). KSA is given a secret key with  bytes (typically, 5 ≤  ≤ 16) and generates the initial permutation S0 , which is an input of PRGA. PRGA is given 

This study is partly supported by Grant-in-Aid for Scientific Research (B), 203000032.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 134–152, 2009. c Springer-Verlag Berlin Heidelberg 2009 

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

135

the initial permutation S0 , uses two indices i and j, (where i is a public counter but j is one element of secret state information), updates S and j, and outputs Z = S[S[i] + S[j]] as a key stream at the end of each round. There are mainly two approaches to the cryptanalysis of RC4, analysis of the weaknesses of the KSA, and analysis of the weaknesses of the PRGA. Many works, however, focus on the bias between a secret key and the initial permutation, which is an input of PRGA. Some analysis of the weaknesses of the PRGA also focus on the correlation between the first keystream output of PRGA and the secret key. We have not seen any research on correlations in PRGA between two permutations with some differences. However, such correlations should be investigated, since it is reported that sets of two keys which output either the same initial permutations or initial permutations with differences of just a few bits can be intentionally induced [6]. Furthermore, correlations between outputs of two consecutive rounds is an inherent weakness of shuffle-exchange-type PRGA. In this paper, we focus on a shuffle-exchange structure of PRGA, where 1 swap is executed in each round. We investigate how the structure mixes the permutation S, by observing correlations between two permutations, S and S  , with some differences in the initial round. The set of indices where differences exist in the initial round is represented by Diff 0 . The correlations are measured over (a) the difference value of two permutations ΔS = S ⊕ S  , (b) the difference value of two outputs of PRGA, ΔZ = Z ⊕ Z  , and (c) the difference value of two indices Δj = j ⊕ j  . We start with Diff 0 = {df 0 [1], df 0 [2]}. Our results, however, are easily applicable to other cases where there exist differences Diff 0 with #Diff 0 > 2 in the initial round. We show theoretically that correlations between two permutations S and S  , such as ΔZ = 0, Δj = 0, and the hamming weight of ΔS, remain when i < df 0 [1]. Furthermore, we show that such correlations between two permutations S and S  remain with non negligible probability when i ≥ df 0 [1], thus, the same correlations between permutations will be observed when i < df 0 [2]. For example, the probability that such correlations remain when i > df 0 [1] is greater than 30% in the cases of df 0 [1] ≥ 93. We give the theoretical formulae of the probability of both outputs being equal when i = df 0 [1]. All theoretical results have been confirmed experimentally. This paper is organized as follows. Section 2 summarizes the known facts on RC4 together with notation. Section 3 investigates correlations in each round between two permutations S and S  with some differences in the initial round. Section 4 investigates correlations in each round between outputs of two permutations S and S  . Section 5 shows the experimental results which confirm all theories in Sections 3 and 4. Section 6 investigates how to predict inner states.

2

Preliminary

This section presents the KSA and the PRGA of RC4, after explaining the notations used in this paper.

136

A. Miyaji and M. Sukegawa

S, S  : permutations S0 , S0 : the initial permutations of PRGA Diff 0 : the set of indices where differences between S and S  exist in the initial round r: number of rounds (r = 0 means the initial round) df 0 [1], df 0 [2], · · · : the positions where differences exist in the initial round ir , jr (jr ): i and j (j  ) of S (S  ) after r rounds  Sr (Sr ): the permutation S (S  ) after r rounds Sr [i] (Sr [i]): the value of Sr (Sr ) in the position i after r rounds ΔSr : Sr ⊕ Sr ΔSr [i] : Sr [i] ⊕ Sr [i] |ΔSr | : the number of indices with ΔSr [i]  =0 Zr (Zr ): the output under S (S  ) at the r-th round ΔZr : Zr ⊕ Zr Δjr : jr ⊕ jr ΔState[0], ΔState[1], · · · : the state differences between S and S  (j and j  ) in a round r. (The state differences of i are omitted since the same i is used each other.)

RC4 has a secret internal state which is a permutation of all the N = 2n possible n-bit words and index j. RC4 generates a pseudo-random stream of bits (a keystream) which, for encryption, is combined with the plaintext using XOR; decryption is performed in the same way. To generate the keystream, the cipher makes use of a secret internal state which consists of two parts (shown in Figure 1): A key scheduling algorithm, KSA, which turns a random key (whose typical size is 40-256 bits) into an initial permutation S0 of {0, . . . , N − 1}, and an output generation algorithm, PRGA, which uses the initial permutation to generate a pseudo-random output sequence. The algorithm KSA consists of N loops. It initializes S to be the identity permutation, and both i and j to 0, and then repeats three simple operations: increment i, which acts as a counter, set j by using S and a secret key K with  bytes where each word contains n bits, and swap two values of S in positions i and j. Finally, it outputs a random permutation S = S0 .

KSA(K) Initialization For i = 0 . . . N − 1 S[i] = i j=0 Scrambling: For i = 0 . . . N − 1 j = j + S[i] + K[i (mod )] Swap(S[i], S[j])

PRGA(K) Initialization: i=0 j=0 Generation loop: i=i+1 j = j + S[i] Swap(S[i], S[j]) Output z = S[S[i] + S[j]]

Fig. 1. The Key Scheduling Algorithm and the Pseudo-Random Generation Algorithm

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

137

The algorithm PRGA is similar to KSA. It repeats four simple operations: increment i, which act as a counter, set j by using S and the previous j, swap two values of S in positions i and j, and output the value of S in position S[i] + S[j]. Each value of S is swapped at least once (possibly with itself) within any N consecutive rounds. All additions used in both KSA and PRGA are in general additions modulo N unless specified otherwise.

3

State Analysis of Permutations with Some Differences

This section analyzes correlations between two permutations, S and S  , with some differences in the initial round. The set of indices where differences exist in the initial round is represented by Diff 0 = {df 0 [1], df 0 [2], · · · }. The indices with nonzero bit differences are arranged in order of positions that i will reach after the next round. Therefore, if nonzero bit differences exist in positions 0 and N − 1 in the initial round, then Diff 0 = {df 0 [1], df 0 [2]} = {N − 1, 0} since i will be incremented to 1 in the first round. 3.1

Overview of Analysis

Assume that two permutations S and S  with Diff 0 = {df 0 [1], df 0 [2]} in the initial round are given, where (S0 [df 0 [1]], S0 [df 0 [2]]) = (a, b) and (S0 [df 0 [1]], S0 [df 0 [2]]) = (b, a) (See Figure 2). Then, the initial state of differences between S0 and S0 is: ΔState[0] : (ΔS[x]  = 0 ⇐⇒ x ∈ Diff 0 ) ∧ (Δj = 0). Then, we analyze the conditions in each round in which the initial state changes from the current state to another, or remains the same. The transitions of state are different according to the position of i, that is, i < df 0 [1]; i = df 0 [1] and the nonzero bit difference still exists in the position df 0 [1]; i = df 0 [1] but the nonzero bit difference does not exist in the position df 0 [1], which are formalized as follows. 0

1

2

3

df0[1]

df0[2]

253 254 255

0

1

2

Fig. 2. ΔState[0] 0

1

2

3

df0[1]

df0[2]

Fig. 4. Event[2]

3

df0[1]

df0[2]

253 254 255

Fig. 3. Event[1] 253 254 255

0

1

2

df0[1]

df0[2]

Fig. 5. Event[3]

253 254 255

138

A. Miyaji and M. Sukegawa

Event[1] : ir < df 0 [1] (Figure 3), Event[2] : [ir = df 0 [1]] ∧ [ΔSr−1 [df 0 [1]]  = 0] (Figure 4), Event[3] : [ir = df 0 [1]] ∧ [ΔSr−1 [df 0 [1]] = 0] (Figure 5). Figures 3, 4, and 5 show each event, where (x, x ) = (b, a) or x = x . We will see the reason for this in the following subsections. The following subsections describe each transition and the probability of its occurrence in each event. We will see that the state of differences between two permutations S and S  has the Markov property, that is, given the state in a certain round (the present state), the state in a future round (future states) is independent of past rounds. 3.2

Transitions of ΔState[0] Before the Nonzero Bit Difference

This subsection shows Theorem 1, which describes the transitions from the initial state in Event[1] and their associated probabilities. The state diagram is given in Figure 6D

Fig. 6. State Diagram of PRGA in Event[1]

Theorem 1. Assume that two initial permutations S and S  are in the state of differences ΔState[0] in the (r − 1)-th round, and that Event[1] occurs in the r-th round. (1) The state changes to the state ΔState[0] (resp. ΔState[1], resp. ΔState[2]) if jr  ∈ Diff 0 (resp. jr = df 0 [2], resp. jr = df 0 [1]), where ΔState[0] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 0 ] ∧ [Δjr = 0], ΔState[1] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 1 ] ∧ [Δjr = 0], ΔState[2] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 2 ] ∧ [Δjr = 0]. and where Diff 1 = {df 1 [1], df 1 [2]} = {df 0 [1], ir } and Diff 2 = {df 2 [1], df 2 [2]} = {df 0 [2], ir }. (2) Each transition occurs with the following probabilities if j is distributed randomly: N −2 1 1 Prob [ΔState[0]] = , Prob [ΔState[1]] = , and Prob [ΔState[2]] = , N N N where each probability is taken over choices of S and S  in state ΔState[0] in the initial round.

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

139

Proof: (1) It is clear that jr = jr holds in any case, since jr = jr−1 + Sr−1 [ir ], Δjr−1 = 0, and ir  ∈ Diff 0 . In the case of jr  ∈ Diff 0 , ΔSr−1 [ir ] = ΔSr−1 [jr ] = 0 holds and, thus, positions of non-zero-bit differences remain the same as those in (r − 1)-round. Therefore, ΔState[0] occurs. In the case of jr = df 0 [2], (Sr [ir ], Sr [jr ]) = (Sr−1 [jr ], Sr−1 [ir ]) = (b, Sr−1 [ir ]);    (Sr [ir ], Sr [jr ]) = (Sr−1 [jr ], Sr−1 [ir ]) = (a, Sr−1 [ir ]);

and, thus, the non-zero-bit difference in the position df 0 [2] moves to the current ir . Therefore, ΔState[1] occurs. In the case of jr = df 0 [1], (Sr [ir ], Sr [jr ]) = (Sr−1 [jr ], Sr−1 [ir ]) = (a, Sr−1 [ir ]);    (Sr [ir ], Sr [jr ]) = (Sr−1 [jr ], Sr−1 [ir ]) = (b, Sr−1 [ir ]); and, thus, the non-zero-bit difference in the position df 0 [1] moves to the current ir . Therefore, ΔState[2] occurs. (2) The probability that each state will occur follows from the above discussion. 

Theorem 1 implies that – |ΔSr | = 2 and Δjr = 0 hold as long as ir is not equal to the position that a nonzero bit difference exits in the initial round. – If jr = df 0 [1] at least once in the r-th round during ir < df 0 [1], then the nonzero bit difference in the position df 0 [1] moves to the current ir . As a result, the nonzero-bit difference that was originally in the position df 0 [1] affects neither |ΔS| nor Δj until the (r + N − 1)-th round. This is the case in which Event[3] occurs. The following corollary describes the detailed cases in which i is not equal to any position that a nonzero bit difference exits before the N -th round. Corollary 1. Assume that two initial permutations S and S  in the state of differences ΔState[0] are given. Then, if either of the following events occurs, then i is not equal to any position that a nonzero bit difference exits; and both |ΔSr | = 2 and Δjr = 0 hold until the N -th round. Event[4] : [jr1 = df 0 [1](1 ≤ ∃ir1 < df 0 [1])] ∧ [jr2 = df 0 [2](ir1 < ∃ir2 < df 0 [2])] Event[5] : [jr3 = df 0 [2](1 ≤ ∃ir3 < df 0 [1] − 1)] ∧ [jr4 = df 0 [1](ir3 < ∃ir4 < df 0 [1])] .

Note that ir3 is less than df 0 [1] − 1 since ir3 < ir4 < df 0 [1]. Proof: Assume that Event[4] has occurred in (jr1 , jr2 ), that is, first jr1 = df 0 [1] for 1 ≤ ir1 < df 0 [1] has occurred. This means that ΔState[2] has occurred in the index of ir1 and, thus, ΔSr1 [x]  = 0 ⇐⇒ x ∈ Diff 2 . Therefore, the nonzero-bit difference in the position df 0 [1] moves to the position ir1 . Next, it is assumed that jr2 = df 0 [2](ir1 < ir2 < df 0 [2]) has occurred. Then, ΔSr2 [x]  = 0 ⇐⇒ x ∈ {ir1 , ir2 } by applying Theorem 1 to Diff 2 . Thus, i is not equal to any position that a nonzero bit difference exits until the N -th round.

140

A. Miyaji and M. Sukegawa

Assume that Event[5] has occurred in (jr3 , jr4 ), that is, first jr3 = df 0 [2] for 1 ≤ ir3 < df 0 [1] − 1 has occurred. This means that ΔState[1] has occurred in the index of ir3 and, thus, ΔSr3 [x]  = 0 ⇐⇒ x ∈ Diff 1 . Then, the index df 0 [2] no longer indicates a nonzero bit difference. Next, it is assumed that jr4 = df 0 [1](ir3 < ir4 < df 0 [1]) has occurred. Then, ΔSr4 [x]  = 0 ⇐⇒ x ∈ {ir3 , ir4 } by applying Theorem 1 to Diff 1 . Thus, i is not equal to any position that a nonzero bit difference exits until the N -th round. 

The probability that Event[3] occurs, Prob [Event[3]], is computed by the next theorems. Theorem 2. Assume that two initial permutations S and S  in the state of differences ΔState[0] with df 0 [1] ≥ 5 are given. Then, Event[3] will occur with the following probability if j is distributed randomly:  Prob [Event[3]] = 1 −

N −1 N

df 0 [1]−1

,

where the probability is taken over choices of S and S  with differences in Diff 0 in the initial round. Proof: Event[2], the complement of Event[3], occurs if and only if j  = df 0 [1]  N −1 df 0 [1]−1 during i < df 0 [1]. Therefore, Prob [Event[3]] = 1− N if j is distributed randomly. 

In the case of df 0 [1] < 5, we can describe Prob [Event[3]] by the conditions of S0 as follows: Theorem 3. Assume that two initial permutations S and S  in the state of differences ΔState[0] with df 0 [1] ≤ 5 are given. Then, Event[3] will occur in the following probability if S0 [1], S0 [2], and S0 [3] are distributed randomly: (1) In the case of df 0 [1] = 2, Prob [Event[3]] = Prob [S0 [1] = j1 = 2] = 1 , N (2) In the case of df 0 [1] = 3,

Prob [Event[3]] = Prob [S0 [1] = 3] + Prob [S0 [1]  = 2, 3 ∧ S0 [1] + S0 [2] = 3] =

2N − 3 , N (N − 1)

(3) In the case of df 0 [1] = 4, Prob [Event[3]] = Prob [S0 [1] = 2] + Prob [S0 [1] = 4] + Prob [S0 [1] = 3 ∧ S0 [2] = N − 2] + Prob [S0 [1]  = 2, 3, 4 ∧ S0 [3]  = 0, 1 ∧ S0 [1] + S0 [2] + S0 [3] = 4] 2(2N − 3) = , N (N − 1)

where the probability is taken over choices of S and S  with differences in Diff 0 in the initial round. Proof: (1) Event[3] occurs if and only if j1 = df 0 [1] = 2, where j1 = j0 + S0 [1] = S0 [1]. Therefore, Prob [Event[3]] = Prob [S0 [1] = 2] = N1 .

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

141

(2) Event[3] occurs if and only if j1 = df 0 [1] = 3 or j2 = df 0 [1] = 3. If S0 [1] = 3, then we get j1 = j0 + S0 [1] = S0 [1] = 3 = df 0 [1]. If S0 [1]  = 2, then S0 [1] = j1  = 2, which means that S0 [1] is not swapped with S0 [2] in the first round. This implies that S1 [2] = S0 [2]. Thus, if [S0 [1]  = 2, 3] ∧ [S0 [1] + S0 [2] = 3], we get j2 = j1 + S1 [2] = S0 [1] + S0 [2] = 3 = df 0 [1]. Therefore, Prob [Event[3]] = 1 N −2 2N −3 N + N (N −1) = N (N −1) . (3) Event[3] occurs if and only if j1 = df 0 [1] = 4, j2 = df 0 [1] = 4, or j3 = df 0 [1] = 4. If S0 [1] = 4, then we get j1 = j0 + S0 [1] = S0 [1] = 4 = df 0 [1]. If S0 [1] = 2, then j1 = j0 + S0 [1] = 2; S0 [1] is swapped with S0 [2]; and, we get j2 = j1 + S1 [2] = j1 + S0 [1] = 4 = df 0 [1]. Note that S0 [1] is swapped with S0 [2] if and only if S0 [1] = 2. If S0 [1]  = 2, 4 and S0 [1] + S0 [2] = 4, then we get j2 = j1 + S1 [2] = S0 [1] + S0 [2] = 4 = df 0 [1]. If S0 [1] = 3 and S0 [2] = N − 2, then j1 = S0 [1] = 3; and S0 [1] is swapped with S0 [3], which implies that (S1 [1], S1 [3]) = (S0 [3], S0 [1]). Then, in the 2nd round, j2 = j1 + S1 [2] = 3 + S0 [2] = 1; and S1 [2] is swapped with S1 [1], which implies that S2 [3] = S1 [3] = 3. Thus, in the 3rd round, we get j3 = j2 + S2 [3] = 4. Note that S0 [1] is swapped with S0 [3] if and only if S0 [1] = 3. If S0 [1]  = 2, 3, 4; S0 [3]  = 0, 1; and S0 [1] + S0 [2] + S0 [3] = 4, then S1 [2] = S0 [2]; S1 [3] = S0 [3]; and S0 [1] + S0 [2]  = 3. This implies that S1 [3] is not swapped with S1 [2] and that S2 [3] = S1 [3]. Thus, we get j3 = S0 [1] + S0 [2] + S0 [3] = 4. To sum up all conditions, which are independent of each other, Prob [Event[3]] = 2(2N −3) 2 N −2 1 N −3 

N + N (N −1) + N (N −1) + N (N −1) = N (N −1) . 3.3

Transitions of ΔState[0] on the Nonzero Bit Difference

This subsection shows Theorem 4, which describes each transition of the initial state ΔState[0] and the probability of its occurrence in Event[2] . The state diagram is given in Figure 7.

Fig. 7. State Diagram of PRGA in Event[2]

142

A. Miyaji and M. Sukegawa

Theorem 4. Assume that two permutations S and S  are in the state of differences ΔState[0] in the (r − 1)-th round. (1) The state changes to ΔState[3] (resp. ΔState[3 ], resp. ΔState[4], resp. ΔState[4 ], resp. ΔState[5], resp. ΔState[6]), if [jr = df 0 [2]] ∧ [jr  ∈ Diff 0 ] (resp. [jr = df 0 [2]] ∧ [jr  ∈ Diff 0 ], resp. [jr = df 0 [1]] ∧ [jr  ∈ Diff 0 ], resp. [jr = df 0 [1]] ∧ [jr  ∈ Diff 0 ], resp. jr , jr  ∈ Diff 0 , resp. jr , jr ∈ Diff 0 ), where ΔState[3] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 3 ] ∧ [Δjr ΔState[3 ] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 3 ] ∧ [Δjr ΔState[4] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 4 ] ∧ [Δjr ΔState[4 ] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 4 ] ∧ [Δjr ΔState[5] : [ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 5 ] ∧ [Δjr ΔState[6] : [|ΔSr | = 0] ∧ [Δjr

 0], = = 0],  = 0],  = 0],  = 0],  = 0], 

where Diff 3 Diff 3 Diff 4 Diff 4 Diff 5

= {df 3 [1], df 3 [2]} = {df 0 [1], jr } = {ir , jr },   = {df 3 [1], df 3 [2]} = {df 0 [1], jr } = {ir , jr }, = {df 4 [1], df 4 [2], df 4 [3]} = {df 0 [1], df 0 [2], jr } = {ir , df 0 [2], jr },    = {df 4 [1], df 4 [2], df 4 [3]} = {df 0 [1], df 0 [2], jr } = {ir , df 0 [2], jr }, = {df 5 [1], df 5 [2], df 5 [3], df 5 [4]} = {df 0 [1], df 0 [2], jr , jr } = {ir , df 0 [2], jr , jr }.

(2) Each transition occurs with the following probability, if j is distributed randomly: Prob [ΔState[3] ∨ ΔState[3 ]] = Prob [Event[2]] · Prob [ΔState[4] ∨ ΔState[4 ]] = Prob [Event[2]] · Prob [ΔState[5]] Prob [ΔState[6]]

= Prob [Event[2]] · = Prob [Event[2]] ·

2(N −2) N (N −1) , 2(N −2) N (N −1) , (N −2)(N −3) N (N −1) , 2 N (N −1) .

Proof: (1) It is clear that jr  = jr in each case, since Δjr = Δjr−1 + ΔSr−1 [ir ] = ΔSr−1 [ir ]  = 0. In the case of jr = df 0 [2] and jr  ∈ Diff 0 , Sr−1 [ir ] = Sr−1 [df 0 [1]] =   a is swapped with Sr−1 [jr ] = b; Sr−1 [ir ] = Sr−1 [df 0 [1]] = b is swapped with   Sr−1 [jr ], which implies that Sr−1 [df 0 [2]] = a remains the same. Thus, we get ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 3 after the r-th round. In the case of jr = df 0 [2] and jr  ∈ Diff 0 , the same also holds. In the case of jr = df 0 [1] and jr  ∈ Diff 0 , ir = jr = df 0 [1] occurs; Sr−1 [ir ] =   Sr−1 [jr ] = a remains the same; and Sr−1 [ir ] = b is swapped with Sr−1 [jr ], Thus, we get ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 4 after the r-th round. In the case of jr = df 0 [1] and jr  ∈ Diff 0 , the same also holds.  In the case of jr , jr  ∈ Diff 0 , Sr−1 [ir ] = a (resp. Sr−1 [ir ] = b) is swapped   with Sr−1 [jr ] (resp. Sr−1 [jr ]), where nonzero-bit difference did not exist; and  both Sr−1 [df 0 [2]] = b and Sr−1 [df 0 [2]] = a still remain the same. Thus, we get ΔSr [x]  = 0 ⇐⇒ x ∈ Diff 5 after the r-th round.   In the case of (jr , jr ) = (df 0 [1], df 0 [2]), Sr−1 [ir ] = Sr−1 [df 0 [1]] = b is    swapped with Sr−1 [jr ] = Sr−1 [df 0 [2]] = a while both Sr−1 [ir ] = Sr−1 [jr ] = a

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

143

and Sr−1 [jr ] = b remain the same. Thus, all nonzero-bit differences disappear after swapping in the r-th round. The same also holds in the case of (jr , jr ) = (df 0 [2], df 0 [1]). (2) The probability that each state will occur follows from the above discussion. 

4

Correlation between Outputs and State Transitions

This section analyzes the differences between outputs of two permutations S and S  in each transition described in Section 3, where two initial permutations S and S  are in the state of differences ΔState[0]. 4.1

Outputs before the Nonzero-Bit Difference

This subsection investigates the correlation between outputs of two permutations in each transition before the first nonzero-bit difference (i.e. i < df 0 [1]). The states of differences of two permutations in any round r < df 0 [1] are ΔState[0], ΔState[1], or ΔState[2] from Theorem 1. The probability that both outputs of permutations are equal, Prob [ΔZ = 0], is given in the next theorem. Proposition 1. Assume that two initial permutations S and S  are in the state of differences ΔState[0] in the (r − 1)-th round, and that Event[1] occurs in the r-th round. Then, Prob [ΔZ = 0] in each state is as follows: Prob [ΔZ = 0] =

N −2 2 2 , , or N N (N − 1) N (N − 1)

if ΔState[0], ΔState[1], or ΔState[2] occurs, respectively. Proof: Theorem 1 has shown that – Δjr = 0 and jr , ir  ∈ Diff 0 if ΔState[0], – Δjr = 0, ir ∈ Diff 1 and jr  ∈ Diff 1 if ΔState[1], – Δjr = 0, ir ∈ Diff 1 and jr  ∈ Diff 2 if ΔState[2]. Then, the necessary and sufficient conditions for ΔZ = 0 in each state are as follows. In ΔState[0] : ΔZ = 0 ⇐⇒ [Δ(Sr [ir ] + Sr [jr ]) = 0] ∧ [Sr [ir ] + Sr [jr ]  ∈ Diff 0 ] ⇐⇒ Sr [ir ] + Sr [jr ]  ∈ Diff 0 N −2 Thus, Prob [ΔZ = 0] = N . In ΔState[1] : ΔZ = 0 ⇐⇒ [Δ(Sr [ir ] + Sr [jr ])  = 0] ∧ [Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 1 ] ⇐⇒ Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 1 Thus, Prob [ΔZ = 0] = N (N2−1) since #Diff 1 = 2 and Sr [ir ] + Sr [jr ]  = Sr [ir ] + Sr [jr ]. In ΔState[2] : ΔZ = 0 ⇐⇒ [Δ(Sr [ir ] + Sr [jr ])  = 0] ∧ [Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 2 ] ⇐⇒ Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 2 Thus, Prob [ΔZ = 0] = N (N2−1) since #Diff 1 = 2 and Sr [ir ] + Sr [jr ]  = Sr [ir ] + Sr [jr ].

From the above, Proposition 1 follows.



From Theorem 1 and Proposition 1, the probability of Prob [ΔZ = 0] if r < df 0 [1] (i.e. i < df 0 [1]) can be computed as follows. Corollary 2. Assume that two initial permutations S and S  with Diff 0 =  2 −2 + 4 {df 0 [1], df 0 [2]} are given. Then, Prob [ΔZ = 0] = N N , if N 2 (N − 1) r < df 0 [1].

144

A. Miyaji and M. Sukegawa

4.2 Outputs on the Nonzero-Bit Difference This subsection investigates the correlation between outputs of two permutations in each transition when r = df 0 [1] (i.e. i = df 0 [1]). The probability that both outputs are equal, Prob [ΔZ = 0], is given in the next theorem. Proposition 2. Assume that two initial permutations S and S  are in the state of differences ΔState[0] in the (r − 1)-th round, and that Event[2] occurs in the r-th round. Then, Prob [ΔZ = 0] in each state is as follows: Prob [ΔZ = 0] = N (N2−1) if ΔState[3] ∨ ΔState[3 ] N −3 3 Prob [ΔZ = 0] = N (N −2) + N (N −1) if ΔState[4] ∨ ΔState[4 ] −4 4 Prob [ΔZ = 0] = NN (N −3) + N (N −1) if ΔState[5] Prob [ΔZ = 0] = 0 if ΔState[6] Proof: Let c and c ∈ [0, N − 1] be values in positions of jr and jr before  swapping in the r-th round, that is, (c, c ) = (Sr−1 [jr ], Sr−1 [jr ]). On the other   hand, (a, b) = (Sr−1 [df 0 [1]], Sr−1 [df 0 [2]]) = (Sr−1 [df 0 [2]], Sr−1 [df 0 [1]]). (See Figure 2). Theorem 4 has shown that: ΔState[3] : ΔState[4] : ΔState[5] : ΔState[6] : or

(Sr [ir ], Sr [jr ]) = (b, a) ∧ (Sr [ir ], Sr [jr ]) = (c , b) (i.e. c = b and c  = a, b); (Sr [ir ], Sr [jr ]) = (a, a) ∧ (Sr [ir ], Sr [jr ]) = (c , b) (i.e. a = c and c  = a, b);       (Sr [ir ], Sr [jr ]) = (c, a) ∧ (Sr [ir ], Sr [jr ]) = (c , b) (i.e. c  = c and c , c  = a, b);    ΔSr = 0, (Sr [ir ], Sr [jr ]) = (a, a) ∧ (Sr [ir ], Sr [jr ]) = (a, b) (i.e. ir = jr );     ΔSr = 0, (Sr [ir ], Sr [jr ]) = (b, a) ∧ (Sr [ir ], Sr [jr ]) = (b, b) (i.e. ir = jr ).

Therefore, the necessary and sufficient conditions of ΔZ

= 0 in each

state are as follows. In ΔState[3] : ΔZ = 0 ⇐⇒ [Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 3 ] ∧ [Δ(Sr [ir ] + Sr [jr ])  = 0] ⇐⇒ [(a + b, c + b) = (df 0 [1], jr ), (jr , df 0 [1])]. Thus, Prob [ΔZ = 0] = N (N2−1) since a + b  = c + b always holds. The same reasoning holds in the case of ΔState[3 ]. In ΔState[4] : ΔZ = 0

 ⇐⇒ [[Δ(Sr [ir ] + Sr [jr ]) = 0] ∧ [Sr [ir ] + Sr [jr ]  ∈ Diff 4 ]] [[Δ(Sr [ir ] + Sr [jr ])  = 0]∧    [Sr [ir ] + Sr [jr ], Sr [ir ] +Sr [jr ] ∈ Diff 4 ] ∧ Sr [Sr [ir ] + Sr [jr ]] = Sr [Sr [ir ] + Sr [jr ]]] ⇐⇒ [2a = c + b ∧ 2a  ∈ Diff 4 ] [(2a, c + b) = (ir , df 0 [2]), (jr , ir ), (df 0 [2], ir )].

−3 3 Thus, Prob [ΔZ = 0] = N N (N −2) + N (N −1) . The same reasoning holds in the case of ΔState[4 ]. In ΔState[5] : ΔZ = 0

 ⇐⇒ [[Δ(Sr [ir ] + Sr [jr ]) = 0] ∧ [Sr [ir ] + Sr [jr ]  ∈ Diff 5 ]] [[Δ(Sr [ir ] + Sr [jr ])  = 0]∧    [Sr [ir ] + Sr [jr ], Sr [ir ] + Sr [jr ] ∈ Diff 5 ] ∧ Sr [Sr [ir ] + Sr [jr ]] = Sr [Sr [ir ] + Sr [jr ]]] ⇐⇒ [c + a = c + b ∧ c + a  ∈ Diff 5 ] [(a + c, b + c ) = (df 0 [1], jr ), (jr , df 0 [2]), (df 0 [2], jr )], (jr , df 0 [1])],

Thus, Prob [ΔZ = 0] =

N −4 N (N −3)

+

4 N (N −1) .

In ΔState[6] : Prob [ΔZ = 0] since Δ(Sr [ir ] + Sr [jr ])  = 0 and ΔSr = 0. From the above, the proposition follows.



New Correlations of RC4 PRGA Using Nonzero-Bit Differences

145

The probability Prob [ΔZ = 0] when i = df 0 [1] follows immediately from Theorem 4 and Proposition 2. Corollary 3. Assume that two permutations S and S  in the (r − 1)-th round are in ΔState[0] and Event[2] occurs in the r-th round. Then, the probability that both outputs are equal in the r-th round, Prob [ΔZ = 0], is given as follows:  Prob [ΔZ = 0] = Prob [Event[2]] ·

N 2 − 4N + 2 2(2N − 1)(N − 2) + N 2 (N − 1) N 2 (N − 1)2



From Corollaries 2 and 3, we get the following theorem. Theorem 5. Assume that two initial permutations S and S  with Diff 0 = {df 0 [1], df 0 [2]} are given. Then, the probability P1 = Prob [ΔZ = 0] in the round r = df 0 [1] is given as  P1 = P2 · ( N−2 )2 +  N = P2 · ( N−2 )2 − N

4 N 2 (N−1)



N 2 −4N−2 N 2 (N−1)

−





N 2 −4N+2 + 2(2N−1)(N−2) , 2 N N 2 (N−1)2  (N−1) 2 2(2N−1)(N−2) 2(2N−1)(N−2) + NN 2−4N+2 + N 2 (N−1)2 , N 2 (N−1)2 (N−1)

+ (1 − P2 ) ·

where P2 = Prob [Event[3]].

Proof: The state of differences between two permutations has the Markov property. Therefore, the probability Prob [ΔZ = 0] in r = df 0 [1] is determined only by the state in the r-th round, where either Event[2] or Event[3] occurs. Theorem 5 follows from this fact. 

 2  2(2N −1)(N −2) +2 The second term of (1 − P2 ) · NN 2−4N + can be dealt with as 2 2 (N −1) N (N −1) an error term if df 0 [1] is large, which will be discussed in Section 5.

5

Experimental Results and New Bias

This section shows experimental results of Theorems 2, 3, and 5, and Corollary 2 in Sections 3 and 4. All experiments were conducted under the following conditions: execute KSA of RC4 with N = 256 for 108 randomly chosen keys of 16 bytes, generate the initial permutation S0 , and set another initial permutation S0 with Diff 0 . Experiments are executed over the following sets of Diff 0 : df 0 [1] = 2, · · · , 2551 for Theorems 2 and 3; and Diff 0 = {df 0 [1], df 0 [2]} = {2 − 254, 255}, {2, 3 − 255}, and {3, 4 − 255} for Theorem 5 and Corollary 2. The percentage absolute error  of experimental results compared with theoreti|experimental value−theoretical value| cal results is computed by  = × 100(%), experimental value which is also used in [10]. 1

Event[3] does not depend on df 0 [2]. See Theorems 2 and 3.

146

5.1

A. Miyaji and M. Sukegawa

Experimental Results of Event[3]

Figure 8 shows experimental results of Prob [Event[3]] and its associated percentage absolute error, where the theoretical value is computed by Theorems 2 and 3. The horizontal axis represents df 0 [1] = 2, · · · , 255. The left side of vertical axis represents Prob [Event[3]], and the right side represents the percentage absolute error. Table 1 shows the cases of df 0 [1] ≤ 6 in detail. Table 1. Experimental results with  > 5 of Event[3] df 0 [1] Theoretical value Experimental value 2 0.003906 0.005350 3 0.007797 0.009069 4 0.015548 0.018221 5 0.015534 0.016751 6 0.019379 0.020501

(%) 26.991 14.027 14.667 7.265 5.472

Only the cases of 2 ≤ df 0 [1] ≤ 6 give the percentage absolute error  ≥ 5, and, thus, our theoretical formulae closely match the experimental results if df 0 [1] > 6. The initial permutation S0 , that is the output of KSA, has a great influence on Event[3] when df 0 [1] is small. Our results indicate that the bias in S0 is propagated to Prob [Event[3]] as the bias in S0 has been reported in [8,2,10]. Figure 8 also indicates that the nonzero bit difference in the position df 0 [1] moves to another position until i = df 0 [1] with Prob [Event[3]] > 30% when df 0 [1] ≥ 93 and, thus, the correlations between S and S  such as Δj = 0 and |ΔS| = 2 remain the same until i = df 0 [2]. 5.2

Experimental Results of Outputs

Figure 9 shows experimental results of Prob [ΔZ = 0] in r = df 0 [1] − 1, df 0 [1], and df 0 [1] + 1, and percentage absolute error in r = df 0 [1] (i.e. i = df 0 [1] − 1), where the theoretical value is computed by Theorem 5. The horizontal axis represents df 0 [1] = 2, · · · , 254. The left side of vertical axis represents Prob [ΔZ = 0], and the right side represents the percentage absolute error. By using the experimental results, we investigate each case of outputs before or on the nonzero-bit difference. Outputs before the nonzero-bit difference Let us discuss Prob [ΔZ = 0] in r = df 0 [1] − 1 (i.e. i = df 0 [1] − 1) for df 0 [1] = 2, · · · , 254. The probability is theoretically estimated in Corollary 2. Our theoretical and experimental results indicate that both outputs of two permutations are coincident with a high probability Prob [ΔZ = 0] > 0.98 during i < df 0 [1]2 . 2

Similar experimental results to i = df 0 [1] − 1 hold during i < df 0 [1] − 1.

New Correlations of RC4 PRGA Using Nonzero-Bit Differences 0.70

147

30.0

0.60

25.0

0.50

20.0

0.40 15.0 0.30 10.0

0.20

5.0

0.10 0.00

0 7

0.0 50

93

100

150

200

250

Fig. 8. Experimental results and  of Event[3] 1.00

5.00

0.90

4.50

0.80

4.00

0.70

3.50

0.60

3.00

0.50

2.50

0.40

2.00

0.30

1.50

0.20

1.00

0.10

0.50

0.00

0.00 0

50

100

150

200

250

Fig. 9. Prob [ΔZ = 0] (df 0 [2] = 255)

Let us discuss3 Prob [ΔZ = 0] in r = df 0 [1] + 1 for df 0 [1] = 2, · · · , 253, where df 0 [1]+1 = i < df 0 [2]. Actually, it corresponds to the case in which i is before the nonzero bit difference df 0 [2] since df 0 [1] + 1 is an index of nonzero bit difference when i = df 0 [1] + 1 from the fact of df 0 [1] + 1 < df 0 [2]. 3

The case of df 0 [1] = 254 is omitted since i indicates the second nonzero bit difference df 0 [2] = 255.

148

A. Miyaji and M. Sukegawa 0.70

100.00 90.00

0.60

80.00 0.50

70.00 60.00

0.40

50.00 0.30

40.00 30.00

0.20

20.00 0.10

10.00

0.00

0.00 0

50

100

150

200

250

Fig. 10. Comparison of Prob [Event[3]] and Prob [ΔZ = 0] 0.050

1.00

0.045

0.90

0.040

0.80

0.035

0.70

0.030

0.60

0.025

0.50

0.020

0.40

0.015

0.30

0.010

0.20

0.005

0.10

0.000

0.00 0

50

100

150

200

250

Fig. 11. Prob [ΔZ = 0] ( df 0 [1] = 3)

Our experimental results show that Prob [ΔZ = 0] in the round df 0 [1] + 1 is almost the same as in the round df 0 [1], which reflects the results in Theorem 1. To sum up, we see that it is highly probable that both outputs of permutations are coincident as long as i does not indicate the index of nonzero bit difference in the current round. Outputs before the nonzero-bit difference: Let us discuss Prob [ΔZ = 0] in r = df 0 [1], where there exists originally4 a nonzero-bit difference. Prob [ΔZ = 0] is estimated theoretically in Theorem 4

If Event[3] has occurred in the round r < df 0 [1], then df 0 [1] is not an index of nonzero bit difference.

New Correlations of RC4 PRGA Using Nonzero-Bit Differences 0.006

149

50.00 45.00

0.005

40.00 35.00

0.004

30.00 0.003

25.00 20.00

0.002

15.00 10.00

0.001

5.00 0.00

0.000 0

50

100

150

200

250

Fig. 12. Occurrence of S0 [1] 3.50E-05

60.0

3.00E-05

50.0

2.50E-05

40.0

2.00E-05 30.0 1.50E-05 20.0

1.00E-05

10.0

5.00E-06 0.00E+00

0.0 0

50

100

150

200

250

Fig. 13. Occurrence of S0 [2] when S0 [1] = 3

5.From the fact that the percentage absolute error  < 1 holds in 2 ≤ ∀df 0 [1] ≤ 254, we see that our theoretical formulae closely match the experimental results in any Diff 0 . Let us discuss the relation between two events of ΔZ = 0 and Event[3] in r = df 0 [1]. Figures 8 and 9 show that df 0 [1] satisfying Prob [ΔZ = 0] > 30% is almost the same as df 0 [1] satisfying Prob [Event[3]] > 30%. In fact, P1 = Prob [ΔZ = 0] in the round df 0 [1] deeply affects P2 = Prob [Event[3]] as we have seen in Theorem 5. Figure 10 shows the comparison between P1 and P2 for 1| 2 ≤ df 0 [1] ≤ 255, where two percentage absolute errors are listed, 1 = |P2P−P 2 and 2 = |P2 −(theoretical)Prob[Event[3]]| for experimental values P1 and P2 . The horiP2 zontal axis represents df 0 [1] = 2, · · · , 254. The left side of vertical axis represents

150

A. Miyaji and M. Sukegawa

Prob [ΔZ = 0], and the right side represents the percentage absolute error. Experimental results show that 1 < 5 (resp. 10) if df 0 [1] > 15 (resp. df 0 [1] > 9) and, thus, we see that the observable event ΔZ = 0 can indicate that the internal event Event[3] occurs with extremely high probability. Figure 11 shows experimental results of Prob [ΔZ = 0] in the round df 0 [1] = 3 in each case of 4 ≤ df 0 [2] ≤ 255 (df 0 [1] = 3), and percentage absolute error. The horizontal axis represents df 0 [2]. The left side of vertical axis represents Prob [ΔZ = 0], and the right side represents the percentage absolute error. The percentage absolute error  < 0.8 holds in 4 ≤ ∀df 0 [2] ≤ 255. We see that our theoretical formulae closely match the experimental results independent of another nonzero-bit difference df 0 [2]. 5.3

Experimental Results of Biases in S0 [1] and S0 [2]

Let us discuss Event[3] when df 0 [1] = 3 in detail, where the error  > 10 (Table 1). Theorem 3 says  that both S0 [1] and S0 [2] determine Event[3], that is, Event[3] ⇐⇒ [S0 [1] = 3] [S0 [1]  = 2, 3 ∧ S0 [1] + S0 [2] = 3]. Here we investigate the bias in S0 [1] and S0 [2] from the point of view of Event[3]. Figure 12 shows experimental results concerning the occurrence of S0 [1] with 0 ≤ S0 [1] ≤ 255, and the percentage absolute error, where the theoretical value (a random association) of occurrence of each S0 [1] is N1 = 3.906×10−3. Figure 13 shows experimental results concerning the occurrence of S0 [2] when S0 [1] = 3, and the percentage absolute error, where the theoretical value (a random association) of occurrence of each (S0 [1] = 3, S0 [2]) is N (N1−1) = 1.532 × 10−5 . The horizontal axis represents S0 [1] or S0 [2]. The left side of vertical axis represents each probability, and the right side represents each percentage absolute error. Table 2. Probability of occurrence S0 [1] S0 [1] 0-9 10 - 19 20 - 29 30 - 39

0.0039 0.0052 0.0051 0.0049

0.0039 0.0052 0.0050 0.0047

Probability of occurrence S0 [1] 0.0054 0.0053 0.0053 0.0053 0.0053 0.0052 0.0052 0.0052 0.0052 0.0051 0.0051 0.0051 0.0050 0.0050 0.0050 0.0050 0.0050 0.0049 0.0049 0.0049 0.0048 0.0049 0.0048 0.0048

0.0052 0.0051 0.0050 0.0048

0.0052 0.0051 0.0049 0.0048

Table 3. Probability of occurrence S0 [2] in S0 [1] = 3 S0 [2] 0-6 7 - 13 14 - 20 108 - 114 115 - 121 122 - 128

0.0000211 0.0000280 0.0000273 0.0000216 0.0000212 0.0000210

Probability of occurrence S0 [2] in S0 [1] = 3 0.0000227 0.0000207 0.0000286 0.0000280 0.0000278 0.0000286 0.0000277 0.0000278 0.0000270 0.0000270 0.0000271 0.0000270 0.0000270 0.0000269 0.0000213 0.0000213 0.0000206 0.0000216 0.0000207 0.0000216 0.0000204 0.0000207 0.0000210 0.0000202 0.0000211 0.0000206 0.0000206 0.0000205 0.0000208

0.0000281 0.0000274 0.0000269 0.0000219 0.0000218 0.0000206

New Correlations of RC4 PRGA Using Nonzero-Bit Differences

151

These experimental results indicate a non-uniform distribution of S0 [1] and S0 [2] when S0 [1] = 3. Tables 2 and 3 show some cases that indicate a non-uniform distribution as follows: Prob [S0 [1] = 3] = 5.303 × 10−3 > 3.906 × 10−3 , Prob [S0 [1] = 3 ∧ S0 [2] = x] > 2.0 × 10−5 > 1.532 × 10−5 for ∀x ≤ 135, Prob [S0 [1] = 3 ∧ 0 ≤ S0 [2] ≤ 128] = 3.05299 × 10−3 > 1.9531 × 10−3 . These non-uniform distribution will be used for a new cryptanalytic analysis in Section 6.

6

A New Cryptanalytic Analysis

Here we investigate how to analyze the internal state of S or j. Assume that two permutations S and S  with Diff 0 = {df 0 [1], df 0 [2]} in the initial round are given, and that both outputs of PRGA are observable. Then, by observing both outputs Z and Z  of PRGA, we can recognize the index of the first nonzero-bit difference from the first round in which both outputs are not equal. This is investigated in Section 5.2. Therefore, if neither df 0 [1] nor df 0 [2] are known, the first nonzero-bit difference is predictable. Consider the case of df 0 [1] = 2. By checking whether ΔZ = 0 in the 2nd round, we can recognize whether Event[3] has occurred. If Event[3] has occurred, then S0 [1] = 2 holds from Theorem 3. The experimental result shows Prob [Event[3] | df 0 [1] = 2] = 0.005350 (see Table 1). However, if we try to predict S0 [1] from a random association, then the probability is 1/256 = 0.003906. Therefore, one can guess S0 [1] with an additional advantage of 0.005350−0.003906 × 0.003906 100 = 36.9 %. Consider the case of df 0 [1] = 3. By checking whether ΔZ = 0 in the 3rd round, we can recognize whether Event[3] has occurred. Let us discuss how to predict both S0 [1] and S0 [2]. If Event[3] has occurred, then [S0 [1] = 3] ∨ [S0 [1]  = 2, 3 ∧ S0 [1] + S0 [2] = 3] holds, from Theorem 3. In the case of S0 [1] = 3, the experimental results show that Prob [Event[3] | df 0 [1] = 3] = 0.009069 (see Table 1) and Prob [S0 [1] = 3] = 0.0053 (see Table 2). On the other hand, we predict S0 [2] with the probability 1/255. Therefore, we can predict (S0 [1], S0 [2]) with the probability 0.0053 × 1/255 = 2.078431 × 10−5 . In the case of [S0 [1]  = 2, 3 ∧ S0 [1] + S0 [2] = 3], if S0 [1] is predicted, then S0 [2] can be predicted promptly. We find that Prob [Event[3] ∧ [S0 [1]  = 2, 3] ∧ [S0 [1] + S0 [2] = 3]] = (0.009069 − 0.0053) × 1/254 = 1.483858 × 10−5 . Therefore, we can predict (S0 [1], S0 [2]) with the probability 1.483858 × 10−5 . Taking both together, the probability to predict (S0 [1], S0 [2]) is 2.078431 × 10−5 + 1.483858 × 10−5 = 3.562289 × 10−5 . On the other hand, if we try to predict (S0 [1], S0 [2]) from a random association, then the probability is 1/256 × 1/255 = 1.531863 × 10−5 . Therefore, one can guess (S0 [1], S0 [2]) with an additional advantage of 3.562289−1.531863 × 100 = 1.531863 132.54 %.

152

7

A. Miyaji and M. Sukegawa

Conclusion

In this paper, we have investigated, for the first time, correlations between two permutations, S and S  , with some differences in the initial round. We have shown that correlations between two permutations S and S  remain before “i” is in the position where the nonzero-bit difference exists in the initial round, and that the correlations remain with non negligible probability even after “i” passed by the position. All theoretical results have been confirmed experimentally. Our results imply that the same correlations between two permutations will be observed with non negligible probability after the 255-th round. This reveals a new inherent weakness of shuffle-exchange-type PRGA. We have also investigated how to predict inner states such as S and j and shown that we can guess inner states with an additional advantage.

References 1. Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998) 2. Mantin, I.: Analysis of the stream cipher RC4, Master’s Thesis, The Weizmann Institute of Science, Israel (2001) 3. Paul, S., Preneel, B.: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004) 4. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 87–104. Springer, Heidelberg (2002) 5. Mister, S., Tavares, S.E.: Cryptanalysis of RC4-like Ciphers. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 131–143. Springer, Heidelberg (1999) 6. Matsui, M.: Key Collisions of the RC4 Stream Cipher. In: FSE 2009. LNCS. Springer, Heidelberg (to appear, 2009) 7. Golic, J.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997) 8. Mironov, I. (Not So) Random Shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002) 9. Paul, G., Rathi, S., Maitra, S.: On Non-negligible Bias of the First Output Byte of RC4 towards the First Three Bytes of the Secret Key. Designs, Codes and Cryptography 49, 123–134 (2008) 10. Paul, G., Maitra, S., Srivastava, R.: On Non-Randomness of the Permutation after RC4 Key Scheduling. In: Bozta¸s, S., Lu, H.-F(F.) (eds.) AAECC 2007. LNCS, vol. 4851. Springer, Heidelberg (2007), http://eprint.iacr.org/2007/305.pdf 11. Mantin, I.: Predicting and Distinguishing Attacks on RC4 Keystream Generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005) 12. Tomasevic, V., Bojanic, S.: Reducing the State Space of RC4 Stream Cipher. In: Bubak, M., van Albada, G.D., Sloot, P.M.A., Dongarra, J. (eds.) ICCS 2004. LNCS, vol. 3036, pp. 644–647. Springer, Heidelberg (2004) 13. Fluhrer, S.R., McGrew, D.A.: Statistical Analysis of the Alleged RC4 Keystream Generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)

Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders Mohammad Reza Reyhanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Research, School of Computer Science and Software Engineering University of Wollongong, Australia {rezar,wsusilo,ymu}@uow.edu.au

Abstract. Two of the most recent and powerful multi-property preserving (MPP) hash domain extension transforms are the RamdomOracle-XOR (ROX) transform and the Enveloped Shoup (ESh) transform. The former was proposed by Andreeva et al. at ASIACRYPT 2007 and the latter was proposed by Bellare and Ristenpart at ICALP 2007. In the existing literature, ten notions of security for hash functions have been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, aSec, eSec (TCR), Pre, aPre, ePre, MAC, PRF, PRO. Andreeva et al. showed that ROX is able to preserve seven properties; namely collision resistance (CR), three flavors of second preimage resistance (Sec, aSec, eSec) and three variants of preimage resistance (Pre, aPre, ePre). Bellare and Ristenpart showed that ESh is capable of preserving five important security notions; namely CR, message authentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Nonetheless, there is no further study on these two MPP hash domain extension transforms with regard to the other properties. The aim of this paper is to fill this gap. Firstly, we show that ROX does not preserve two other widely-used and important security notions, namely MAC and PRO. We also show a positive result about ROX, namely that it also preserves PRF. Secondly, we show that ESh does not preserve other four properties, namely Sec, aSec, Pre, and aPre. On the positive side we show that ESh can preserve ePre property. Our results in this paper provide a full picture of the MPP capabilities of both ROX and ESh transforms by completing the property-preservation analysis of these transforms in regard to all ten security notions of interest, namely CR, Sec, aSec, eSec (TCR), Pre, aPre, ePre, MAC, PRF, PRO. Keywords: Hash Functions, Domain Extension, MPP, ROX, ESh.

1

Introduction

A cryptographic hash function is a function that can map variable length strings to fixed length strings. Hash functions have been used in a vast variety of 

The full version of this paper is available from [16].

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 153–170, 2009. c Springer-Verlag Berlin Heidelberg 2009 

154

M.R. Reyhanitabar, W. Susilo, and Y. Mu

applications, e.g. digital signature, MAC, PRF, and must provide different security properties depending on the security requirements of the applications. The most well-known property for a hash function is collision resistance (CR). Nevertheless, hash functions are often asked to provide many other security properties ranging from merely being a one-way function (i.e. preimage resistance property) to acting as a truly random function (i.e. a random oracle). In a formal study of cryptographic hash functions two different but related settings can be considered. The first setting is the traditional unkeyed hash function setting where a hash function refers to a single function H : M → n {0, 1} (e.g. SHA-1) that maps variable length messages to a fixed length output hash value. In the second setting, a hash function is considered as a family of functions H : K × M → {0, 1}n , also called a “dedicated-key hash function” [3], indexed by a key space K. The exact role of the hash function key is applicationdependent; it can be a public parameter, e.g. when the hash function is used in a digital signature, or a secret key like in MAC and PRF applications. In this paper, we consider hash functions and their security notions in the dedicated-key hash function setting. Almost all cryptographic hash functions are designed based on the following two-step approach: first a compression function is designed which is only capable of hashing fixed-input-length (FIL) messages and then a domain extension transform is applied to get a full-fledged hash function which can hash variable-input-length (VIL) or arbitrary-input-length (AIL) messages, depending on the transform. Assume that we have a (dedicated-key) compression function h : {0, 1}k × {0, 1}n+b → {0, 1}n that can only hash messages of fixed length (n + b) bits. A domain extension transform can use this compression function (as n a black-box) to construct a (dedicated-key) hash function H : K × M → {0, 1} , ∗ where the message space M can be either {0, 1} (in which case H is an AIL hash <2λ

function) or {0, 1} , for some huge positive integer λ, e.g. λ = 64 (in which case H is a VIL hash function). For instance, the strengthened-MD domain extension transform [12, 8, 3] yields to a VIL hash function while the Prefix-free domain extension transform [7, 3] yields to an AIL hash function. In practice the difference between being VIL or AIL hash function will not be of a concern as for typical value of λ = 64 almost all messages will have length less than 264 <264 bits, i.e. will belong to {0, 1} . From security viewpoint, the crux sought from a domain extension transform is its property preserving capability; that is, if the underlying compression function h possesses some security property P, then the obtained full-fledged hash function H should also provably possess the property P. The most well-known domain extension transform is the strengthened Merkle-Damg˚ ard (MD) construction which was shown by Merkle [12] and Damg˚ ard [8] to be a CR preserving transform. Bellare and Rogaway in [6] showed that strengthened MD, despite preserving CR property, is unable to preserve UOWHF property (put forth by Naor and Yung [15]) which is a weaker than CR property. They renamed UOWHF as target collision resistance (TCR) and provided four domain extension transforms for preserving the TCR property. Shoup in [18] provided a transform (improving XLH

Analysis of Property-Preservation Capabilities of the ROX and ESh

155

transform of Bellare-Rogaway in [6]), which is shown to be UOWHF and CR preserving. Mironov [14] showed that Shoup’s transform is optimal from key expansion viewpoint among masking based serial transforms for TCR preservation. Coron et al. [7] introduced the notion of random oracle preservation and provided prefix-free MD transform which is capable of preserving (pseudo-)random oracle, which means that if the compression function is modeled as a random oracle then the AIL hash function obtained by applying prefix-free MD transform will also be indifferentiable from a random oracle [7, 11]. A new line of research recently has been initiated by Bellare and Ristenpart in [5], and followed in several other works, e.g. [3, 1], with the aim of designing multi-property-preserving (MPP) domain extension transforms. An MPP transform is capable of preserving multiple security properties simultaneously while extending the domain of a compression function. Two of the most recent and powerful MPP transforms are the Enveloped Shoup (ESh) transform designed by Bellare and Ristenpart in [3] and the Random-Oracle XOR (ROX) transform by Andreeva et al. in [1]. Both ESh and ROX are variants of Shoup (Sh) transform proposed in [18]. ESh is a standard model transform and was shown to be the best-performing, in terms of property preserving capability, among the nine transforms studies in [3]. It is shown in [3] that ESH preserves five security notions; namely CR, TCR, MAC, PRF, and PRO. ROX was shown to be the only transform among the twelve transforms investigated in [1] which is able to preserve seven security notions; namely CR, Sec, aSec, eSec, Pre, aPre, and ePre as put forth by Rogaway and Shrimpton in [17]. But unlike to other transforms, ROX “..., quite controversially, uses a random oracle in the iteration.” [1], although Andreeva et al. in [1] provide arguments justifying the merits of such a limited application of auxiliary FIL random oracles in their construction from practical viewpoint. Our Contribution. We complete property-preservation analysis of the ROX and ESh transforms by providing new negative and positive results in regard to their MPP capabilities. Our results complete the property preservation analysis of ROX and ESh in regard to all ten security notions of interest, namely CR, Sec, aSec, eSec (TCR), Pre, aPre, ePre, MAC, PRF, PRO. For the ROX transform, we show that it does not preserve MAC and PRO. This settles the open question of [1] about MAC and PRO preservation capability of the ROX, in a negative way. On the positive side we notice that the ROX is also a PRF preserving transform. Regarding the ESh transform, we show that ESh does not preserve Sec, aSec, Pre, and aPre properties. As a positive result about ESh we show that it also preserves ePre property. The overview of the results are shown in Table 1. A “Yes” means that the property is provably preserved by the transform. A “No” means that the property is not preserved and this is shown either by showing a counterexample compression function or by some attacks benefiting from the structural weakness of the transform in regard to the specific security property. Unreferenced entries are the results shown in this paper. We leave the question of a ten-property-preserving transform without any random oracle as an interesting open question.

156

M.R. Reyhanitabar, W. Susilo, and Y. Mu

Table 1. Overview of the MPP capabilities of the ESh and ROX hash domain extension transforms in regard to ten security notions. Unreferenced entries are the results shown in this paper. ESh CR (Coll) Yes [3] Sec No aSec No eSec (TCR or UOWHF) Yes [3] Pre No aPre No ePre Yes MAC Yes [3] PRF Yes [3] PRO Yes [3]

2 2.1

ROX Yes [1] Yes [1] Yes [1] Yes [1] Yes [1] Yes [1] Yes [1] No Yes No

Preliminaries Notations $

If A is a probabilistic algorithm with access to some oracle f (.) then by y ← Af (.) (x1 , · · · , xn ) it is meant that y is the output random variable which is defined by running A, given inputs x1 , · · · , xn and having oracle access to f (.). To $

show that an algorithm A is run without any input, we use the notation y ← A(). By time complexity of an algorithm we mean the running time, relative to some fixed model of computation plus the size of the description of the algorithm $ using some fixed encoding method. If X is a finite set, by x ← X it is meant that x is chosen from X uniformly at random. By X ← Y it is meant that the value Y is simply assigned to the variable X. Let x||y denote the string obtained from concatenating string y to string x. Let 1m and 0m , respectively, denote a string of m consecutive 1 and 0 bits, and 1m 0n denote the concatenation of 0n to 1m . By (x, y) we mean an injective encoding of two strings x and y, from which one can efficiently recover x and y. For a binary string M , let |M | denote its length in bits and |M |b  |M |/b denote its length in b-bit blocks. Let M [i] denote the i-th bit of M , and Mi...j denote the bits from i-th to j-th positions, i.e. Mi...j = M [i] · · · M [j]. If S is a finite set we denote size of S by |S|. For a positive integer m, let mλ denote its representation as a binary string of length exactly λ bits. The set of all binary strings of length n bits (for some positive integer n) n is denoted as {0, 1} , the set of all binary strings whose lengths are variable but upper-bounded by N is denoted by {0, 1}≤N and the set of all binary strings of ∗ arbitrary length is denoted by {0, 1} . The set of all functions f : Dom → Rng (from a domain Dom to a range Rng) is denoted by Func(Dom, Rng). 2.2

Definition of Security Notions

In this section, we recall definition of ten security notions for hash functions; namely, the seven notions (Coll, Sec, aSec, eSec, Pre, aPre and ePre) formalized

Analysis of Property-Preservation Capabilities of the ROX and ESh

157

in [17] as well as PRF, MAC, PRO. All definitions are for a dedicated-key hash n function H : K × M → C, where C = {0, 1} for some positive integer n, ∗ the key space K is some nonempty set and the message space M ⊆ {0, 1} m such that {0, 1} ⊆ M for at least a positive integer m. For any M ∈ M and K ∈ K, we use the notations HK (M ) and H(K, M ) interchangeably. The advantage measures for an adversary A attacking H are defined in Fig. 1 for the ten security notions. We say that H is (t, l, )-xxx, for xxx ∈ {Coll, Sec[δ], aSec[δ], eSec, Pre[δ], aPre[δ], ePre}, if the advantage of any adversary A with time complexity at most t and using messages of length at most l, is less than , in attacking H in xxx sense. Note that four of the notions (namely, Sec[δ], aSec[δ], Pre[δ] and aPre[δ]) δ are parameterized by δ where {0, 1} ⊆ M. If H is a compression function (i.e. an FIL hash function), then parameter δ and the resource parameter l for the adversary will be the same as the fixed input length of the compression function and hence omitted from the notations. It is shown in [17] that the strength of provisional implications between different notions depends on the relative size of δ and the hash size n. For more related details we refer to [17].

Fig. 1. Definitions of ten security notions for a hash function family H [17, 3]

158

M.R. Reyhanitabar, W. Susilo, and Y. Mu

For xxx ∈ {M AC, P RF }, we say that H is (t, q, l, )-xxx if the advantage of any adversary A having time complexity at most t and making at most q queries with maximum query length of l bits is at most . PRO Notion. The definition of pseudorandom oracle preservation for a hash function was first considered by Coron et al. in [7] using the indifferentiability framework of Maurer et al. in [11], and further studied in the following works, e.g. in [5, 3]. The definition for the dedicated-key setting that we consider in this paper, as shown in Fig. 1, is due to Bellare and Ristenpart [3]. PRO is defined formally as follows. Adversary A is given ‘oracles access’ to h either the VIL hash function HK (.) and FIL random oracle hK (.), or a VIL random oracle F (.) and a simulator S F (K, .). A must differentiate between these two worlds and the simulator’s goal is to mimic the FIL random oracle hK (.) in h a way that convinces adversary A that HK (.) is F (.) (i.e. the two worlds become indifferentiable from A’s view). The PRO advantage of an adversary A against H is defined as the difference between the probability that A outputs a one when h given oracle access to HK (.) and hK (.) and the probability that it outputs a one when given oracle access to F (.) and the simulator S F (K, .). We say that H is (tA , tS , q1 , q2 , l, )−PRO, if for any adversary A having time complexity at most t and making at most q1 queries from its first (left) oracle and q2 queries from its second (right) oracle with maximal query length of l bits, there exits a simulator RO S with time complexity tS such that makes AdvP (A) < . H The Special Case of ROX Construction. In the case of a hash function obtained using ROX construction, the VIL hash function H utilizes two FIL random oracles RO1 and RO2 in its construction as well as a compression function h. In this case the definitions should be straightforwardly adapted to consider the existence of these two auxiliary FIL random oracles, namely adversary A will be also given oracle access to RO1 and RO2 and the number of queries from these oracles should also be considered as additional resource parameters for the adversary A. One also must use the generalized PRO notion based on the indifferentiability framework of [11] to involve these additional random oracles. We provide the required generalized definition in section 3.1 of this paper, following [11, 5]. Briefly saying, the simulator will have to simulate three random oracles for the adversary, namely the compression function itself (which for PRO notion is modeled as an FIL random oracle), as well as the two auxiliary random oracles used by the ROX in addition to h. More details are given in section 3.1 of this paper. 2.3

Hash Domain Extension k

n+b

n

Assume that we have a compression function h : {0, 1} × {0, 1} → {0, 1} that can only hash messages of fixed length (n + b) bits. A domain extension transform can use this compression function (as a black-box) to construct a n hash function H : K × M → {0, 1} , where the message space M can be either ∗

<2λ

{0, 1} or {0, 1}

, for some positive integer λ (e.g. λ = 64). The key space K

Analysis of Property-Preservation Capabilities of the ROX and ESh

159

is determined by the construction of a domain extender. Clearly log2 (|K|) ≥ k, as H involves at least one invocation of h. A domain extension transform comprises two functions: an injective ‘padding function’ and an ‘iteration function’. First, the padding function P ad : M → DI is applied to an input message M ∈ M to convert it to the padded message n P ad(M ) in a domain DI . Then, the iteration function f : K × DI → {0, 1} uses the compression function h as many times as required, and outputs the final hash value. The full-fledged hash function H is obtained by combining the two functions. In the case of ROX transform both the padding algorithm (rox-pad) and the iteration algorithm need small-input random oracles as well. The padding functions used in the Sh, ESh and ROX domain extension transforms are ‘Strengthening’, ‘Strengthened Chain Shift’ and ‘rox-pad’ defined as follows, where 2λ is the maximum message length in bits (typically λ = 64) :  <2λ Lb – Strengthening: pads : {0, 1} → L≥1 {0, 1} , where pads (M ) = p M ||10 || |M |λ and p is the minimum number of 0’s required to make the length of pads (M ) a multiple of block length. λ  – Strengthened Chain Shift: padCSs : {0, 1}<2 → L≥1 {0, 1}Lb+b−n , where padCSs (M ) = M ||10r || |M |λ ||0p , and parameters p and r are defined in two ways depending on the block length b. If b ≥ n + λ then p = 0, otherwise p = b − n. Then r is the minimum number of 0’s required to make Lb+b−n the padded message a member of {0, 1} , for some positive integer L.  <2λ L.b k RO2 – rox-pad: rox-pad : {0, 1} → L≥1 {0, 1} , where RO2 : {0, 1} × λ

log b

{0, 1} × {0, 1}

2n

→ {0, 1}

is an auxiliary FIL random oracle, and

rox-padRO2 (M ) = M ||RO2 (M1...k , |M |λ , 1)||RO2 (M1...k , |M |λ , 2)|| · · · where the last block of padded message must contain at least 2n bits generated by RO2 which implies adding a new final block just for padding if necessary. The iteration functions for Sh, ESh and ROX transforms are shown in Fig. 2, where IV, IV1 , and IV2 are some known initial values and IV1  = IV2 . RO1 : k k log λ n {0, 1} × {0, 1} × {0, 1} → {0, 1} is a random oracle used by the ROX iteration function to generate required key masks. <2λ n The variable-input-length (VIL) hash function H : K × {0, 1} → {0, 1} , for H ∈ {Sh, ESh, ROX}, obtained by applying Sh, ESh, or ROX domain extension transforms on a fixed-input-length (FIL) hash function h : {0, 1}k × n+b n {0, 1} → {0, 1} is defined, respectively, as follows: k+tn

Sh(K, M ) = fSh (K, pads (M )), where K = K||K0 || · · · ||Kt−1 ∈ {0, 1}

ESh(K, M ) = fESh (K, padCSs (M )), where K = K||K0 || · · · ||Kt−1 ∈ {0, 1}k+tn RO (.)

k

1 ROX RO1 ,RO2 (K, M ) = fROX (K, rox-padRO2 (.) (M )), where K ∈ {0, 1}

160

M.R. Reyhanitabar, W. Susilo, and Y. Mu

Fig. 2. Iteration functions of Shoup (Sh), Enveloped Shoup (ESh), and ROX transforms

3

Property Preservation Analysis of the Transforms

In this section we analyze property preserving capability of the ROX and ESh transforms in terms of the ten security notions defined in section 2.2, namely CR (Coll), Sec, aSec, eSec(TCR), Pre, aPre, ePre, MAC, PRF, PRO. ROX was already shown in [1] to be able to preserve seven properties, namely: CR (Coll), Sec, aSec, eSec, Pre, aPre, and ePre. We complete a propertypreservation analysis of ROX in regard to the other three important security notions (i.e. MAC, PRF, PRO) and gather both negative and positive results. On the negative side we show that ROX cannot preserve MAC and PRO notions. As a positive result we note that ROX can also preserve PRF. Next we investigate ESh transform. ESh was already shown in [3] to be able to preserve five properties, namely: CR (Coll), MAC, PRF, PRO, and TCR (eSec). We complete the property preservation analysis of ESh with respect to the remaining five properties among the ten notions by showing, as negative results, that ESh does not preserve four properties, namely Sec, aSec, Pre, aPre, and as a positive result we show that it can also preserve ePre. 3.1

Analysis of the ROX Transform

In this section we provide two negative results about PRO and MAC preservation and one positive result about PRF preserving capability of the ROX domain extension transform. Among these results, the negative result showing that ROX does not preserve PRO seems more interesting regarding the fact that ROX,

Analysis of Property-Preservation Capabilities of the ROX and ESh

161

unlike all other hash domain extension transforms, uses random oracles in its construction. Indifferentiability Analysis of the ROX Construction. Our aim is to show that ROX transform does not preserve PRO, i.e., the VIL hash function obtained using ROX transform is differentiable from a true VIL random oracle. We first provide the required generalization of PRO notion for the case of ROX construction based on the indifferentiability framework of [11]. Then we provide our negative result in Theorem 1. For the purpose of PRO analysis (in the dedicated key hash setting [3]), the k n+b n compression function h : {0, 1} × {0, 1} → {0, 1} is modeled as a family n+b n of FIL random oracles, i.e. hK : {0, 1} → {0, 1} is assumed to be an FIL random oracle for any value of the key K where hK (.) = h(K, .). We note that the ROX transform itself utilizes two additional FIL random oracles, namely RO1 and RO2 in generation of the key masks used in the iteration function and k padding, respectively. Hence the VIL hash function ROX hK ,RO1 ,RO2 : {0, 1} × λ {0, 1}<2 → {0, 1}n will have access to three FIL random oracles, namely hK (.), RO1 (.) and RO2 (.). According to the general indifferentiability framework of [11] which is used to define PRO in [7, 5, 3], adversary A will be given access <2λ n to four oracles; namely, a VIL oracle O1 : {0, 1} → {0, 1} , and three FIL orn+b n k k log λ n acles as O2 : {0, 1} → {0, 1} , O3 : {0, 1} × {0, 1} × {0, 1} → {0, 1} k λ log b 2n and O4 : {0, 1} × {0, 1} × {0, 1} → {0, 1} , and must differentiate between the following two worlds: $

k

– World 1: A random key K ← {0, 1} is selected. The oracles are set as O1 (.) = ROX hK ,RO1 ,RO2 (K, .), O2 (.) = hK (.), O3 (.) = RO1 (.), O4 (.) = RO2 (.). A is given K as input and has access to the four oracles. $ k – World 2: A random key K ← {0, 1} is selected. O1 (.) = F (.) where <2λ

n

F : {0, 1} → {0, 1} is a true VIL random oracle. A simulator S F (K) = F F (S1 (K), S2 (K), S3F (K)), having access to the oracle F (.) and receiving K as input, simulates the role of the three FIL random oracles for the adversary. That is, in this world when adversary queries the first oracle (i.e. the VIL oracle) O1 the response comes from the true VIL random oracle F (.), but when adversary queries any of the three FIL oracles O2 (.), O3 (.) and O4 (.), the queries are forwarded to the the simulator S. Simulator will respond to these queries trying to mimic the oracles hK (.), RO1 (.) and RO2 (.), respectively, by its sub-algorithms S1 , S2 and S3 in a way that convinces A that O1 (.) is ROX hK ,RO1 ,RO2 (K, .) although it is now actually F (.). Let HK (.) = H(K, .) = ROX hK ,RO1 ,RO2 (K, .). The PRO advantage of the adversary in differentiating H from F is defined as follows:    RO  = AdvP (A) = Pr AO1 , O2 , O3 , O4 (K) ⇒ 1 |World 1 − H   Pr AO1 , O2 , O3 , O4 (K) ⇒ 1 |World 2 

162

M.R. Reyhanitabar, W. Susilo, and Y. Mu

We say that an adversary A is a (tA , tS , q1 , q2 , q3 , q4 , l, )-differentiating adversary against H if its PRO advantage is at least  against any simulator S having time complexity at most tS , where the time complexity of the adversary is at most tA , the number of queries from i-th oracle is at most qi (for 1 ≤ i ≤ 4) and the length of each query is at most l bits. Now we are ready to state our negative result which shows the inability of ROX to preserve PRO. Theorem 1 (Negative Result: PRO). ROX domain extension transform does not preserve pseudorandom oracle. Proof. We show a (c, tS , 2, 1, 1, 2, 3b−2n, 1−2−n)-differentiating adversary against H, i.e. A has overwhelming PRO advantage of 1 − 2−n in differentiating the VIL <2λ n hash function ROX hK ,RO1 ,RO2 : {0, 1} → {0, 1} from a true VIL random <2λ

n

oracle F : {0, 1} → {0, 1} , with respect to any simulator S with arbitrary time complexity tS . A has time complexity tA = c, where c is a small constant, and it asks only: two queries from the first oracle O1 , one query from the second oracle O2 , one query from the third oracle O3 and two queries from the fourth oracle O4 . The maximum query length is 3b − 2n bits. Adversary A acts as follows: $

2b−2n

1. M ← {0, 1} and Y ← O1 (M ); 2. IP ← O4 (M1...k , 2b − 2nλ , 1); 3. 4. 5. 6. 7.

$

b−2n

M  ← {0, 1} and Z ← O1 (M ||IP ||M  ); K0 ← O3 (K, M1...k , 0); OP ← O4 (M1...k , 3b − 2nλ , 1); Z  ← O2 (Y ⊕ K0 )||M  ||OP ; If Z = Z  then return 1 (i.e. guess that it is World 1) else return 0 (i.e. guess that it is World 2 )

From the construction of the of the World  ROX hash function and the description  1, it can be seen that Pr AHK (.), hK (.), RO 1 (.), RO2 (.) (K) ⇒ 1 = 1. We claim F

F

F

that Pr AF (.), S1 (K), S2 (K), S3 (K) (K) ⇒ 1 = 2−min{n,2b−2n−k} . This can be

seen by noting that in World 2, the only queries that the simulator S F (K) = (S1F (K), S2F (K), S3F (K)) can see and must respond to are the queries from O2 , O3 , and O4 oracles. It is worth reminding that, the simulator cannot see query-response sequence between the adversary A and the first oracle O1 due to the definition of indifferentiability [7, 5, 3], as these queries are answered directly by the true VIL random oracle F in World 2. Hence referring to the description of the adversary A, it can be seen that the simulator S just is given the first k bits of the first message M , i.e. M1...k , and has no information about the remaining 2b − 2n − k bits of the message M . Hence to make A output a one (i.e. to fool A), simulator S must either guess these 2b − 2n − k unknown bits of M (with success probability of 2−(2b−2n−k) ) or guess the correct value of Z (with success probability of 2−n ) in order to be able to provide a correct value Z  at step 6 of A’s differentiating attack. (Note that the success probability of

Analysis of Property-Preservation Capabilities of the ROX and ESh

163

S in guessing the correct value of these unknown bits is independent of the time complexity of S, i.e. tS , as S has no information about these bits.) So, we have RO AdvP (A) = 1 − 2−min{n,2b−2n−k} . It remains to verify that 2b − 2n − k ≥ n. H According to the construction of rox − padRO2 it must be the case that b ≥ 2n and referring to [1], typical values for k and n are suggested as k = 80 bits and n = 160 bits for an 80-bit security level, i.e. we have k ≈ n/2. Hence RO min {n, 2b − 2n − k} = n and AdvP (A) = 1 − 2−n as claimed.   H MAC Preservation Analysis of the ROX. We show that the ROX transform does not preserve MAC (unforgeability). This is done by providing as a counterexample, a compression function h which is a secure MAC but for which the VIL hash function obtained by using ROX transform will be insecure in MAC sense. k n+b n−1 Assume that there is a compression function g : {0, 1} ×{0, 1} → {0, 1} which is (t, q, )−MAC. Consider the following construction from [3] for a comk n+b n pression function h : {0, 1} × {0, 1} → {0, 1} , where s = log2 (n):

gK (C||M )||C[i] if M = is ||0b−s for i ∈ {1, · · · , n − 1} hK (C||M ) = gK (C||M )||C[n] otherwise It is shown in [3] that if g is (t, q, )−MAC then h will be (t−cq, q, )−MAC, where c is a small constant. Note that h leaks the i-th bit of its chaining variable input C to the output if its input block M equals to is ||0b−s , for i ∈ {1, · · · , n − 1}, and otherwise h leaks the n-th (i.e. the last) bit of C. We use this counterexample to prove the following negative result. Theorem 2 (Negative Result: MAC). ROX domain extension transform does not preserve MAC. Proof. Consider the above counterexample function h as an FIL MAC. We show that the VIL function H(K, .) = ROX h,RO1 ,RO2 (K, .) obtained by applying the ROX transform on this FIL MAC h will not be a secure MAC. This is done by describing an adversary A which can break H(K, .) in MAC sense, with success probability ≈ 14 and whose computational resources are only: one query from the random oracle RO2 (.), 2(n − 1) queries from the function HK (.) with maximum length of each query 4b − 2n bits, and a constant time complexity proportional to n. The idea behind the construction of the adversary A is the same “length reduction attacks” used in [3] to show that Sh transform is not MAC preserving. We adapt the attack for the case of ROX transform by considering the special padding function rox-padRO2 used by the ROX. The algorithm for the adversary A is shown in Fig. 3. It has oracle access to HK (.) and RO2 (.). Note that in definition of the MAC security notion, the key K is considered secret from the adversary and hence A cannot compute HK (.) directly. It selects an all zero string of length 2b − 2n bits as M = 02b−2n , for which it tries to return a valid tag T under HK (.). To this aim, A first queries RO2 as IP ← RO2 (M1...k , 2b − 2nλ , 1) to get the 2n-bit response IP (IP stands for

164

M.R. Reyhanitabar, W. Susilo, and Y. Mu

‘internal padding’). It then queries oracle HK (.) on n−1 messages, each of length 4b − 2n bits, constructed as QHi = M ||IP || is ||0b−s ||0b−2n , and it receives the response Yi = HK (QHi ), for i ∈ {1, · · · , n − 1} . Let yi denote the last bit of Yi , i.e. yi = Yi [n]. According to the ROX construction and the structure of the counterexample compression function h, the value of the bit yi will be computed as yi = HK (M )[i] ⊕ K0 [i] ⊕ K2 [n] with overwhelming probability of at least 1 − 2−min{2n,b−s} . This can be seen from (the Top-Right diagram in) Fig. 3 noting that the final block contains 2n bits of random padding string (denoted by OP ) as its last bits and hence this final block input to the compression function h is not equal to is ||0b−s with probability at least 1 − 2−min{2n,b−s} , for i ∈ {1, · · · , n − 1}, and therefore h will leak the last bit (i.e. n-th bit) of its chaining variable input to the output Yi . Therefore with probability at least 1 − 2−min{2n,b−s} , the variable yi (for 1 ≤ i ≤ n − 1) contains the i-th bit of the tag T for the message M (i.e. T [i] = HK (M )[i]) masked with the unknown key bits K0 [i] and K2 [n]. For typical values of b and n (say b = 512, n = 160) we can make 1 − 2−min{2n,b−s} ≈ 1 and so we assume that this probability is approximately one, to prevent unnecessary complexity in the analysis. Now A tries to peel off the unknown key bits K0 [i], for 1 ≤ i ≤ n − 1. It queries HK (.) on n − 1 messages, each of length 2b − 2n bits, constructed as qHi = is ||0b−s ||0b−2n and receives the response Zi = HK (qHi ), for i ∈ {1, · · · , n − 1}. Let zi denote the last bit of the Zi , i.e. zi = Zi [n]. According to the description of HK (.) and the structure of the counterexample function h, the value of bit zi will be computed as zi = HK (qHi )[i] = IV [i] ⊕ K0 [i] ⊕ K1 [n] with overwhelming probability of at least 1 − 2−2n . This can be seen from (the Bottom-Right diagram in) Fig. 3 noting that the final block contains 2n bits of random padding string (denoted by OPi ) as its last bits and hence this final block input to the compression function h is not equal to is ||0b−s with probability at least 1 − 2−2n , for any i ∈ {1, · · · , n − 1}, and hence h will leak the last bit (i.e. n-th bit) of its chaining variable input to the output Zi . For a typical value of n (say n = 160 as in SHA-1) we can make 1 − 2−2n ≈ 1 and so we assume that this (overwhelming) probability is approximately one. Now for each i ∈ {1, · · · , n − 1} adversary builds a variable ti = yi ⊕ zi ⊕ IV [i] whose value will be ti = HK (M )[i] ⊕ K1 [n] ⊕ K2 [n] (with overwhelming probability of at least (1 − 2−2n )2 ≈ 1 for typical values of n, say n = 160). Note that the value of the remaining unknown masking bit K1 [n] ⊕ K2 [n] is independent of the index i, i.e. it is the same for all ti and therefore adversary can guess this unknown value with probability 1/2. That is, for a random guess $

α ← {0, 1} with probability 1/2 the value ti ⊕α will be equal to HK (M )[i] = T [i] (i.e. the correct tag value), for all i ∈ {1, · · · , n − 1}. It just remains to compute the last bit of the tag T , i.e. T [n], but A just guesses this one bit and with probability 1/2 this guess will be correct. Hence the adversary A computes a correct MAC tag T for the message M under HK (.) with probability 1/4 (or more precisely with probability 14 (1 − (n − 1)2−2n+1), which for any typical value of hash size n, say n = 160, will be ≈ 1/4). Note that the message M never is queried from HK (.) in the attack and so this is a valid forgery attack.

Analysis of Property-Preservation Capabilities of the ROX and ESh

165

Fig. 3. (Left) Description of the algorithm for an adversary A against the VIL function HK (.) = ROX RO1 ,RO2 (K, .) based on the (counterexample) FIL MAC function h. (Right) The structure of the queries from HK (.) and computation of the responses according to the ROX construction.

Referring to the algorithm for A it is seen that A is quite efficient as its computational resources are: one query from the random oracle RO2 (.), 2(n − 1) queries from the function HK (.) with maximum length of each query 4b−2n bits, and a constant time complexity proportional to n which can be easily determined from the description of A.   Theorem 3 (Positive Result: PRF). ROX domain extension transform preserves PRF. Proof. This result is just a straightforward corollary of a theorem in [3] (Theorem 5, page 407) showing that in the dedicated-key hash function setting (where the compression function is a keyed hash function) Merkle-Damg˚ ard transform and all of its variants including Shoup are PRF preserving transforms. As shown in [3, 4] even if the key masks (K0 , K1 , · · · ) in Shoup construction are made public and only the key (K) for the compression function is kept secret then Shoup transform will still be PRF preserving. Clearly a special case will be putting the value of all key masks to zero in which case Shoup iteration will be the same as Merkle-Damg˚ ard iteration which is a PRF preserving transform in the dedicated-key hash setting [4]. We note that the iteration function of the ROX transform is exactly the same as Shoup where the key masks are generated using a random oracle (Refer to Fig. 2).  

166

3.2

M.R. Reyhanitabar, W. Susilo, and Y. Mu

Analysis of the ESh Transform

The following theorems show our results about the ESh. We show both negative results and a positive result about property preservation capability of ESh. Theorem 4 (Negative Results: Sec, aSec, Pre, and aPre). ESh domain extension transform does not preserve any of the Sec, aSec, Pre, and aPre security properties. Proof. The proof is done by showing, as a counterexample, a compression function which is secure in xxx sense for xxx ∈ {Sec, aSec, Pre, aPre} but for which the full-fledged hash function obtained using ESh domain extension transform is completely insecure in xxx sense for xxx ∈ {Sec[δ], aSec[δ], Pre[δ], aPre[δ]} and for any value of the parameter δ < 2λ (remember that 2λ is the maximum input message length in bits). Referring to the description of the strengthened chain shift padding function (padCSs ) used in ESh transform, we consider the following two cases depending on the sizes of the parameters b, n and λ (note that for ESh, b ≥ n and typical value of λ = 64): – Case 1: if b ≥ n + λ then padCSs (M ) = M ||10r || |M |λ – Case 2: if b < n + λ then padCSs (M ) = M ||10r || |M |λ ||0b−n k

n+b

n−1

Assume that there is a compression function g : {0, 1} ×{0, 1} → {0, 1} which is (t, )-xxx, where xxx is any of the four properties in {Sec, aSec, Pre, aPre}. For Case 1 and Case 2, respectively, consider the following two compression functions h1 : {0, 1}k × {0, 1}n+b → {0, 1}n and h2 : k n+b n {0, 1} × {0, 1} → {0, 1} :

n 0 if Mn+b−λ+1...n+b = δλ h1 (K, M ) = g(K, M )||1 otherwise

h2 (K, M ) =

0n if M2n+1...n+b = 0b−n g(K, M )||1 otherwise

Construction of the counterexamples h1 and h2 are inspired from the counterexamples used in [5, 1] where we make some small modifications in the conditions defining these two functions to consider the effect of padCSs padding in ESh transform. To complete the proof of the theorem we prove and combine the following two lemmas. The first lemma shows that the compression functions h1 and h2 inherit security properties xxx ∈ {Sec, aSec, Pre, aPre} from the compression function g and the second lemma shows that ESh transform cannot preserve these four properties while extending the domain of h1 or h2 compression functions. Note that only one of these compression functions are used depending on which of the two conditions specified in Case 1 and Case 2 above are the case. Lemma 1. If g is (t, )-xxx then h1 is (t,  + 2−λ )-xxx and h2 is (t,  + 2−(b−n) )xxx, for any of the notions xxx ∈ {Sec, aSec, Pre, aPre}.

Analysis of Property-Preservation Capabilities of the ROX and ESh

167

Proof. The proof can be found in the full version of this paper [16]. Lemma 2. For any xxx ∈ {Sec[δ], aSec[δ], Pre[δ], aPre[δ]}, and for any value of δ < 2λ , there is a simple adversary which can break the domain extended hash function ESh(K, M ) = fESh (K, padCSs (M )) using h1 or h2 as the compression function. Proof. Considering the description of the padCSs and counterexample compresδ sion functions h1 and h2 , we have ESh(K, M ) = 0 for any M ∈ {0, 1} . Hence, in Pre[δ] and aPre[δ] attacks adversary A just needs to output any arbitrary M  ∈ {0, 1}δ and wins with probability one. Similarly, in Sec[δ] and aSec[δ] δ attacks A only needs to output any M  ∈ {0, 1} which is different from the δ challenge message M ∈ {0, 1} and wins with probability one. That is, the λ VIL hash function ESh : K × {0, 1}<2 → {0, 1}n , defined as ESh(K, M ) = fESh (K, padCSs (M )) using h1 or h2 is completely insecure in xxx sense for xxx ∈ {Sec[δ], aSec[δ], Pre[δ], aPre[δ]} and for any value of the parameter δ, where δ < 2λ .   Theorem 5 (Positive Result: ePre). If the compression function h : {0, 1}k × n+b n {0, 1} → {0, 1} is (t, )−ePre then the full-fledged hash function ESh : λ K × {0, 1}<2 → {0, 1}n defined as ESh(K, M ) = fESh (K, padCSs (M )) will be (t , )−ePre, where t = t − c, for a small constant c. Proof. Assume that there is an adversary A against ePre property of the hash function ESh with time complexity t and advantage  . We construct an adversary B which can break the compression function h in ePre sense with the same advantage (i.e.  =  ) and whose time complexity is that of A plus a small constant time (i.e. t = t + c). Adversary B runs A and on receiving the value of Y from A outputs the same value Y as its own target hash value in the first phase of ePre game. B receives K (the random key for h), gen $ t.n erates K0 || · · · ||Kt−1 ← {0, 1} , where t = log2 (2λ /b) + 1 and sends the key K||K0 || · · · ||Kt−1 to adversary A as the key for the full-fledged hash function ESh. Note that because B by this phase just knows the Y and does not know the length of the input message to the hash function ESh, it generates a key  string of maximum required length for the XOR masks, i.e. t.n bits, for t = log2 (2λ /b) + 1 where 2λ /b is the maximum possible input length in blocks and n is the hash size. Now on receiving the message M  from A (which is to be a preimage for Y under ESh, i.e. Y = ESh(K||K0 || · · · ||Kt−1 , M  ) ), adversary B simply outputs the value (IV2 ⊕ K0 )||(CL−1 ⊕ Kμ )||ML as a preimage for Y (refer to Fig. 2) which is the input to the final application of the compression function h in the construction of ESh hash function. Clearly B wins whenever A wins. The time complexity of B is that of A plus the time required to generate t random n-bit keys, where t = O(λ) (typically λ = 64), and the time to compute the hash function ESh on a message of length |M  |.  

168

4

M.R. Reyhanitabar, W. Susilo, and Y. Mu

Can We Preserve All Properties?

In the previous section we showed that the ROX transform, which is a random oracle variant of Shoup, does not preserve MAC and PRO notions and also we showed that the Enveloped Shoup (ESh) transform does not preserve Sec, aSec, Pre, aPre notions. An immediate question arises from this analysis is that whether we can preserve all the ten properties simultaneously by a new domain extension transform. Using FIL Random Oracles. If we are allowed to use some FIL Random Oracles in our construction in the same way that ROX does (i.e. uses FIL random oracles just for padding and generation of masking keys), then our analysis in the previous section hints us toward a candidate for such a ten-propertypreserving transform by just mixing components from both ESh and ROX. We notice that, as shown in Fig. 2, ROX utilizes Shoup’s iteration as its underlying iteration function and uses FIL random oracles for generation of masking keys and padding function. Hence the natural candidate for a ten property preserving transform in random oracle model can be a random oracle variant of ESh with some necessary adaptation in a similar way that ROX is obtained from Sh. We call such a transform as Random-Oracle Enveloped Shoup (RO-ESh). For more details and analysis of properties of RO-ESh we refer to the full version of this paper in [16]. Without Any Random Oracle. As it was shown in analysis of ESh, as a standard model transform, the four properties, namely; Pre, aPre, Sec, and aSec are not preserved by ESh. It appears to be a crux to preserve these four properties (simultaneously) in the standard model by an efficient transform. Regarding the Sec property, Andreeva and Preneel [2] proposed a keyed transform to extend the domain of a keyless compression function. The proposed dedicated-key hash construction is CR and Sec secure provided that the underlying keyless compression function is, respectively, CR or Sec (here CR and Sec are defined for a dedicated-key hash function and a keyless compression function, respectively). Unfortunately the proposed scheme cannot be shown to be Pre secure in standard model and only a random oracle argument is provided in [2] for its Pre property. For Pre notion, the only transform in the standard model that is pointed out in [1] to be Pre preserving is the XOR Tree scheme, but it does not preserve aPre and aSec [1]. For aSec and aPre notions, there is currently no transform in the literature that can preserve aSec and aPre in the standard model. We remind that a hash domain extension transform preserves a property P if the constructed VIL hash function provably possesses P assuming that the underlying compression function satisfies the same property P. This is different from a scenario where one proves that the VIL hash function has property P if its underlying compression function satisfies a different property P , e.g. [19], or a collection of different assumptions, e.g. [10, 9].

Analysis of Property-Preservation Capabilities of the ROX and ESh

5

169

Conclusion

In this paper, we analyzed two recently proposed MPP hash domain extension transforms, namely the Random-Oracle-XOR (ROX) transform and the Enveloped Shoup (ESh) transform. We showed that ROX does not preserve MAC and PRO notions, but it preserves PRF. We also showed that ESh does not preserve Sec, aSec, Pre, and aPre, but it preserves ePre. Our results complete the MPP analysis of both ROX and ESh transforms in regard to all ten security notions of interest, namely CR, Sec, aSec, eSec (TCR), Pre, aPre, ePre, MAC, PRF, PRO, and provide the full picture of their MPP capabilities. An interesting open question is that whether one can (simultaneously) preserve the remaining four properties, namely Pre, aPre, Sec, and aSec in the standard model with an efficient transform. Acknowledgments. We would like to thank the anonymous reviewers of ACISP 2009 for their comments and suggestions.

References [1] Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-Property-Preserving Iterated Hashing: ROX. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 130–146. Springer, Heidelberg (2007) [2] Andreeva, E., Preneel, B.: A Three-Property-Secure Hash Function. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. Workshop Records, pp. 208–224 (2008) [3] Bellare, M., Ristenpart, T.: Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms. In: Arge, L., Cachin, C., Jurdzi´ nski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 399–410. Springer, Heidelberg (2007) [4] Bellare, M., Ristenpart, T.: Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms. Cryptology ePrint Archive, Report 2007/271 (2007), http://eprint.iacr.org/ [5] Bellare, M., Ristenpart, T.: Multi-Property-Preserving Hash Domain Extension and the EMD Transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006) [6] Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997) [7] Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damg˚ ard Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) [8] Damg˚ ard, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990) [9] Dodis, Y., Puniya, P.: Getting the Best Out of Existing Hash Functions; or What if We Are Stuck with SHA? In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 156–173. Springer, Heidelberg (2008) [10] Halevi, S., Krawczyk, H.: Strengthening Digital Signatures Via Randomized Hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)

170

M.R. Reyhanitabar, W. Susilo, and Y. Mu

[11] Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) [12] Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990) [13] Mironov, I.: Collision-Resistant No More: Hash-and-Sign Paradigm Revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006) [14] Mironov, I.: Hash Functions: From Merkle-Damg˚ ard to Shoup. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 166–181. Springer, Heidelberg (2001) [15] Naor, M., Yung, M.: Universal One-Way Hash Functions and Their Cryptographic Applications. In: STOC 1989, pp. 33–43. ACM Press, New York (1989) [16] Reyhanitabar, M.R., Susilo, W., Mu, Y.: Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders. Cryptology ePrint Archive, Report 2009/170 (2009) [17] Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004) [18] Shoup, V.: A Composition Theorem for Universal One-Way Hash Functions. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 445–452. Springer, Heidelberg (2000) [19] Yasuda, K.: How to Fill Up Merkle-Damg˚ ard Hash Functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)

Characterizing Padding Rules of MD Hash Functions Preserving Collision Security Mridul Nandi National Institute of Standards and Technology [email protected]

Abstract. This paper characterizes collision preserving padding rules and provides variants of Merkle-Damg˚ ard (MD) which are having less or no overhead costs due to length. We first show that suffix-free property of padding rule is necessary as well as sufficient to preserve the collision security of MD hash function for an arbitrary domain {0, 1}∗ . Knowing this, we propose a simple suffix-free padding rule padding only log |M | bits for a message M , which is less than that of Damgard’s and Sarkar’s padding rules. We also prove that the length-padding is not absolutely necessary. We show that a simple variant of MD with 10d -padding (or any injective padding) is collision resistant provided that the underlying compression function is collision resistant after chopping the last-bit. Finally, we design another variant of MD hash function preserving all three basic security notions of hash functions, namely collision and (2nd) preimage, which is an improvement over a recently designed (SAC-08) three-property preserving hash function. Keywords: resistant.

1

MD hash function, padding rule, suffix-free, collision

Introduction

Hash function has become an essential object in many cryptographic protocols [4] particularly in signature schemes [2,6,11]. It takes an input from a message space s M (usually {0, 1}∗ or {0, 1}≤2 −1 for some s) and it outputs a t-bit string for a fixed t. The hash function plays role of preprocessor in many applications so that one can work with t-bit H(M ) instead of an arbitrary sized M , which essentially helps us to keep design of a protocol simple and efficient. In most cases, securities of these protocols rely on the collision resistance property (it is hard to find two different messages with same hash value) of the hash function. The most popular design of a hash function is Merkle-Damgard [5,10] or MD hash function where a compression function f : {0, 1}b+t → {0, 1}t is designed first. Given a message, some additional bits may be padded to it so that it can be partitioned into several blocks of size b. The compression function is then sequentially applied to an initial value and to all blocks of the padded message. It seems difficult to design a hash function, based on only simple logical or/and arithmetical operations, which can provide absolute collision security (or provable collision security like discrete log C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 171–184, 2009. c Springer-Verlag Berlin Heidelberg 2009 

172

M. Nandi

based hash function [7]). But it is well known that the MD hash functions with length strengthening (padding length of the input) preserves collision security (i.e. the hash function is collision resistant if so is the compression function). So we can at least reduce the infeasibility assumption of a hash function to a smaller domain compression function. Padding rule is essential for MD hash function (proposed by both Damgard [5] and Merkle [10] independently in crypto-1989). However they used different padding rules. Merkle’s padding rule can not handle arbitrary length messages. Sarkar [15] recently introduced a padding rule which can handle arbitrary messages and the number of padding bits is O(log |M | log∗ |M |) for some slowly growing function log∗ defined in [15]. This is asymptotically less that that of Damgard’s padding rule where O(|M |) bits are padded. Note, if the size of padded bits is more, it may cost more invocations of the underlying compression function. So, in terms of efficiency of hash function, one should try to keep size of pad as small as possible. Any arbitrary padding may not be good as the hash function is desired to preserve collision security. Clearly, injectivity is a basic requirement of a padding rule. A padding rule is said to preserve collision security (for MD) if the hash function with this padding rule preserves collision security. So, it is worthwhile to characterize all padding rules preserving collision security. Our Contribution. In this paper, we first show that suffix-free property is both necessary and sufficient to preserve collision security for MD hash function. Damgard in [5] mentioned prefix-free padding rules. Stinson [16], Bellare and Rogaway [3] mentioned suffix-free property while proving collision preserving of particular padding rules. Even though sufficiency of suffix-free padding rule seems intuitive, we do not know any paper proving it. Some observations on Merkle’s padding rule can be found in [8]. On the other hand, the necessity of the suffix-free property is non-trivial. We propose a simple efficient suffix-free padding rule, padding O(log(|M |)) bits, which can handle arbitrary messages. We see a comparison of new padding rules with known padding rules in Table 1. Let a t-bit compression function f is collision resistant in the first (t − 1)bits (i.e. collision resistant after chopping the last bit). We show that a simple variant of MD hash function (converting 0t chaining value (if any) into 0t−1 1) without any length-padding (any injective padding such as 10d -padding works) is collision resistant. We actually prove a stronger statement which says that any collision of the new hash function reduces to either a collision of f or a collision of the first (t − 1) bits of f with the collision value 0t−1 . Thus, we are able to remove overhead costs due to length. We also provide an improved three property (collision, (2nd) preimage) preserving salted hash function which is a variant of MD hash function and is more efficient than recently proposed hash function [1] in terms of salt size. Organization of the paper. We first give an overview of the security notions of a hash function and padding rules of MD hash functions in section 2. In section 3, we characterize the collision preserving padding rules for any fixed initial value. We also have provided simple examples of padding rule in the same

Characterizing Padding Rules of MD Hash Functions

173

section. In the following section, we prove a simple variant can completely avoid length-padding and still have collision security under a reasonable additional assumption. In section 5, we study an improved variant of BCM (backward chaining mode) hash function which preserves all basic three security notions of a hash function.

2

Overview of MD Hash Function, Padding Rule

A hash function H : M → {0, 1}t is called a collision resistant [14,17] hash functions if it is “hard” to find a collision pair (M, M  ) i.e., M  = M  such that H(M ) = H(M  ). We define collision-advantage of an algorithm A as   Advcoll = M ] H (A) := Pr[A → (M, M ) : H(M ) = H(M ), M 

where probability is calculated over the random coins of A. Informally, a hash function is called collision resistant if, for any efficient algorithm A, the collision advantage of A for H is negligible. Unfortunately, we can not rule out the existence of an efficient collision finding algorithm A outputting (M, M  ) which is eventually a collision pair of the hash function H. But nobody may know or write down this algorithm based on our current knowledge. Therefore, we can say that a hash function is collision resistant if no efficient collision finding algorithm is known for it. Rogaway formalized this approach by introducing human ignorance model [13]. Keeping this in mind, we use the following definition of preserving properties of hash securities. Definition 1. A hash family H := {HIV }IV∈{0,1}t based on a compression function f is said to preserve (,  )-collision security if given an efficient algorithm A with at least  collision advantage for H, we can construct (write down its code modulo the subroutine A) an efficient algorithm A with at least  collision advantage for f . Merkle-Damgard Hash function. Markle-Damgard or MD hash function has three basic components namely, (1) an underlying compression function f : {0, 1}b+t → {0, 1}t for some b > 0, (2) an initial value IV ∈ {0, 1}t and (3) an easily computable padding rule pad : M → ({0, 1}b )+ for some message + space M. We define the classical iterated function fIV : ({0, 1}b )+ → {0, 1}t + as fIV (M1 , · · · , M ) = f (f (· · · f (IV, M1 ), · · · ), M ), M1 , · · · , M ∈ {0, 1}b. The MD hash function MDfIV,pad is defined as the composition of the following maps: pad

f+

IV M −→ ({0, 1}b )+ −→ {0, 1}t

MDfIV,pad (M )

(mapping as a function)

Thus, for all M ∈ M., = An illustration is given in figure 1. Padding rule is essential to make the message size compatible with the + domain of fIV as well as to keep the hash function collision preserving. In this paper, we will mainly study padding rules of MD and its different variants. + fIV (pad(M )).

Padding Rules. The simplest possible (must be injective) padding rule is pad0 (M ) = M 10d where d is the smallest nonnegative integer such that |M | +

174

M. Nandi

Msg Pad M1

IV = h0

...

M2

f

...

f h1

Ml

h2

f hl-1

hl

Fig. 1. The classical sequential iteration of a compression function

1 + d is a multiple of b. However, pad0 may not be sufficient to show the collision resistance property of MD under the only assumption that f is collision resistant. We show that if initial value is fixed then there is a compression function f which is collision resistant but we can actually construct a collision pair efficiently for MDfIV,pad0 . Moreover, the same result is true for any other “simply defined” padding rule which is not suffix-free (see Theorem 1 in section 3.3). Definition 2. Let X, Y ∈ {0, 1}∗. We call X a suffix of Y if there exists a binary string Z such that Y = ZX. A padding rule pad is called suffix-free if, for any M  = M  , pad(M ) is not a suffix of pad(M  ). Here, we list some known padding rules. In crypto-1989, Damgard and Merkle independently proposed the classical MD iteration, but with different padding rules. Besides Merkle’s and Damgard’s padding rule, Sarkar defined a generalized version of Merkle’s padding rule which has message space {0, 1}∗ unlike Merkle’s s padding rule where message space is {0, 1}2 −1 for some fixed s. 1. Merkle’s padding rule: The message space M = {0, 1}2 −1 for some fixed s (we usually choose s = 64 or 128) and the padding rule is defined as padmerk (M ) = M  10d  lens (M ) where d is the smallest nonnegative integer such that d + (|M | + 1 + s) is a multiple of b and lens (M ) represents the s bit binary representation of |M |. The classical MD hash function uses Merkle’s padding rule. For example, SHA-2 hash family is nothing but MD hash function with Merkle’s padding rule for s = 64. Note that Merkle’s padding rule can hash messages of maximum possible size 2s − 1. s

2. Damgard’s padding rule: The message space for Damgard’s padding rule is {0, 1}∗ . He used different padding rule paddamg which does not need to pad length of the message but it pads every message block by a single bit 0 or 1 depending on whether it is first block or not and finally, it pads one complete block representing the amount of 0-padding. More precisely, let M 0d = x1  · · · xk where |xi | = b − 1 and d is the smallest nonnegative integer such that |M | + d is multiple of b − 1. Now, paddamg (M ) = 0  x1  1  x2  · · ·  1  xk  lenb (d)

Characterizing Padding Rules of MD Hash Functions

175

One disadvantage of using Damgard’s padding is that for large messages it is not as efficient as Merkle’s length padding as it needs more number of padded bits. However, unlike padmerk , it can be applied to any arbitrary messages. 3. Sarkar’s padding rule: Sarkar defined a new padding rule which can be applied to any tree based iteration which includes the classical sequential iteration. The padding rule is defined as padsarkar (M ) = 0  X0  0d0  1  X1  0d1  · · ·  1  Xk  0dk where X0 = M , Xi = χ(Xi−1 ), 1 ≤ i ≤ k and χ(x) denotes the smallest binary representation of |x|. Let k be the least positive integer such that |Xk | ≤ b. The di ’s are smallest nonnegative integer so that |Xi | + di is a multiple of b − 1. Note that, it can handle arbitrary messages and needs O(log(|M |) × log∗ (|M |)) many padded bits where log∗ is much slower function compare to log (see [15] for a precise definition). It is straightforward to see that all these padding rules are suffix-free (we leave it for readers to verify). We provide a simple example of suffix-free padding rule padlength which needs O(log(|M |)) many bits. Basically, we apply Damgard’s padding rule to the length of the message instead of applying it to the whole message. The precise definition of the padding rule can be found in section 3.2 and it is parameterized by a parameter s. Note that for any choice of s, the message space of this padding rule is {0, 1}∗. This padding is so far the most efficient padding rule (in terms of the number of padding bits) and if the message size is less than 263 then this padding rule with s = 64 is same as Merkle’s padding rule. Therefore in practice, we can apply MD hash function as long as message size is less than 263 . In table 1, we make a comparison for all these padding rules with respect to message space M, length of the padded bits for a message M and how it preserves the collision security. Table 1. A comparison table for different padding rules with an underlying compression function f : {0, 1}b+t → {0, 1}t . pad0 represents the 10d padding rule defined in this section and padlength represents the suffix padding rule defined in the section 3.2. Padding length is given in terms of order. The last column represents when the hash function is collision secure. padding rule message space padmerk [10] paddamg [5] padsarkar [15] padlength pad0

≤2s −1

{0, 1} {0, 1}∗ {0, 1}∗ {0, 1}∗ {0, 1}∗

padding length

assumption on f

b collision-secure |M | collision-secure log |M | log∗ |M | collision-secure log |M | collision-secure b (t − 1)-bit collision-secure

176

3

M. Nandi

Characterization of Collision Preserving Padding Rules

In this section, we characterize all padding rules applied to MD hash function preserving the collision resistant property. We first show that suffix-free padding rule is sufficient to preserve collision resistant and then we provide some simple examples of suffix-free padding rules which are better than the known padding rules in terms of the padding size and the message space, in which padding rule can be applied. Finally, we show that suffix-free property is also necessary to preserve collision resistant property. 3.1

Sufficient Condition of Collision-Preserving Padding

For any f : {0, 1}b+t → {0, 1}t and h ∈ {0, 1}t we have defined the iterated function fh+ : ({0, 1}b )+ → {0, 1}t. We can extend the definition to the domain ({0, 1}b)∗ by defining fh+ (λ) = h where λ is the empty bit string. It is easy to see that if X1 ∈ ({0, 1}b)k1 and X2 ∈ ({0, 1}b)k2 then fh+ (X1 X2 ) = fh+ (X2 ) where h = fh+ (X1 ). Now we provide basic intuitive lemma whose immediate corollary is that the suffix-free padding rule preserves collision resistant for MD hash function. The lemma says that if we have free-start collision for iterated hash f + (i.e., fh+ (X) = fh+ (X  )) with same length then there must be an intermediate collision during computations of fh+ (X) and fh+ (X  ). A computation of fh+ (x1 , · · · , xk ) means that the sequence of computations of hi = f (hi−1 , xi ), 1 ≤ i ≤ k, where h0 = h. Lemma 1. (basic lemma) Let f : {0, 1}b+t → {0, 1}t and (h, x1 , · · · , xk )  = (h , x1 , · · · , xk ) where h, h ∈ {0, 1}t and x1 ,x1 ,· · · , xk , xk ∈ {0, 1}b. Then, fh+ (x1 , · · · , xk ) = fh+ (x1 , · · · , xk ) ⇒ f (z, xi ) = f (z  , xi ), (z, xi )  = (z  , xi ) where 1 ≤ i ≤ k, z = fh+ (x1 , · · · , xi−1 ) and z  = fh+ (x1 , · · · , xi−1 ). Proof. Define h0 = h, h0 = h , hi = fh+ (x1 , · · · , xi ) and hi = fh+ (x1 , · · · , xi ), 1 ≤ i ≤ k. Now we restate the statement of the lemma as follows. Given that hk = hk and (h0 , x1 , · · · , xk )  = (h0 , x1 , · · · , xk ) there must exist   0 ≤ i < k such that (hi , xi+1 )  = (hi , xi+1 ) but hi+1 = hi+1 . Thus, we have a collision f (hi , xi+1 ) = hi+1 = hi+1 = f (hi , xi+1 ). To prove that there exists above such i, we use the contradiction method. So assume that, for all i, it is not true. Therefore, for all 1 ≤ i < k, hi+1 = hi+1 implies that (hi , xi+1 ) = (hi , xi+1 ). Starting from hk = hk we have (hk−1 , xk ) = (hk−1 , xk ). Since hk−1 = hk−1 we also have (hk−2 , xk−1 ) = (hk−2 , xk−1 ) and so on. Thus we must have (h0 , x1 , · · · , xk ) = (h0 , x1 , · · · , xk ) which is not true. Hence the claim is proved by contradiction. 

Characterizing Padding Rules of MD Hash Functions

177

f + Recall that, HIV,pad (M ) = fIV (pad(M )) for a padding rule pad : M → ({0, 1}b)+ . Here we fix an initial value IV and hence we are only interested in a single hash function and we write H := MDfpad . The computation of padding rule must be injective. Otherwise we will be able to find a collision of the hash function easily for any choice of underlying compression function. More precisely, if we have two messages M  = M  such that pad(M ) = pad(M  ) then clearly f f  HIV,pad (M ) = HIV,pad (M ) for any f . Since we usually choose a simply defined padding rule we can assume that we will be able to find efficiently a collision pair (M, M  ) of the padding rule if it is not injective. Now we want to classify all padding rules such that MD hash functions based on these padding rule preserves collision security for any choice of initial value. Here we show that this class is nothing but the set of all suffix-free padding rules.

Theorem 1. Sufficient Condition for collision-preserving padding If pad is suffix-free padding rule then given any collision pair (M, M  ) for MDfpad

we can construct a collision pair of f efficiently. Thus, MDfpad is preserving (, )-collision security for any  > 0. Proof. Let pad(M ) = X and pad(M  ) = X  . Without loss of generality we assume that |X| ≤ |X  |. Let X ∈ ({0, 1}b )k and X  = (Z, Y ) where Y ∈ ({0, 1}b )k . Define h = fh+ (Z). As (M, M  ) is a collision pair, fh+ (X) = fh+ (X  ) and hence f h (X) = fh (Y ) where both X and Y are members of ({0, 1}b)k and X  = Y (since pad is suffix-free and hence X is not a suffix of X  ). Thus, by using the above basic lemma 1 we must have a collision for f in the computation of fh+ (X) and fh+ (Y ). Since the computation of fh+ (X  ) includes the computation of fh+ (Y ), we are done. The collision advantage for f is at least the collision advantage of MD hash function. The efficiency of the collision finding for f is simple as we need to compute at most (|M | + |M  |)/b computations of f where (M, M  ) is a collision pair generated from a collision finding algorithm for MD hash function.  3.2

Simple Examples of Suffix-Free Padding Rules

We would like to note that known padding rules such as Damgard’s padding rule, Merkle’s padding rule, Sarkar’s padding rule are all suffix-free. Proposition 1. The padding rules padmerk , paddamg , and padsarkar are suffixfree. Hence the Merkle-Damg˚ ard hash function based on these padding rules preserves the collision security. It is straightforward to verify and so we leave it for readers to verify. Recall that Damgard and Sarkar’s padding rules have domain {0, 1}∗ whereas the Merkle’s d padding rule has domain {0, 1}2 −1 for some fixed d. Damgard padding rule pads O(|M |) bits to the message M whereas Sarkar’s padding rule needs roughly O(log∗ |M | log |M |) many bits pad where log∗ (|M |) is much slower function compared to log(|M |). Now we propose a much simpler padding rule which is suffixfree and which takes O(log(|M |)) many padded bits.

178

M. Nandi

Let χs (|M |) denote the smallest multiple of s-bit binary representation of |M |. One can fix a suitable integer s, such as 8,32,64 etc. In other words, we first have a binary represent of |M | and then add a sequence of 0’s in the beginning of the length representation so that the size becomes multiple of s. Now we write χs−1 (|M |) = p1  · · · p−1 p where |pi | = s − 1 for 1 ≤ i ≤ . Let d be the smallest non-negative integer such that (d + |M | + s) is multiple of b. Now we define padlength(M ) = M  0d  0  p1  1  p2  1  · · ·  p . By definition of d the size of padlength becomes multiple of b. It is easy to see that this padding rule pads d+s many bits which is at most b+ log(|M |)+ log(|M|) s−1 . So the number of padding bits for this padding rule is O(log |M |). Moreover, it can also be applied to any arbitrary message. Now we prove that it is a suffix-free padding rule. By using theorem 1, the MD hash function with this padding rule preserve collision security. Lemma 2. The padding rule padlength is suffix-free. Proof. Suppose padlength (M  ) = (X, padlength (M )) for some X, M and M  . Let us denote 

padlength (M ) = M 0d 0p1 1p2 · · · 1p , padlength (M ) = M  0d 0p1 1p2 · · · 1p . Since padlength (M  ) = (X, padlength (M )) we must have  =  and pi = pi , 1 ≤ i ≤  by comparing the positions of 1 and 0 bits. So, |M | = |M  | and hence d = d . Thus, |padlength (M  )| = |padlength (M )|. So, X = λ and padlength (M  ) = padlength(M ) and hence M = M  . This proves that padlength is suffix-free.  Remark 1. Note that for any messages of size up to 263 the padding rule padlength with s = 64 is same as padmerk . So we can use Merkle’s padding rule and for any message longer than 263 one can extend the definition by using padlength with s = 64. One may argue that the Merkle’s padding rule is sufficient enough for all practical messages and the new padding rule only have of theoretical interest. However, in some applications (such as smart card) short messages appear more frequently (message sizes are usually less than 215 ). In those application, we can choose small value of s (such as 8 or 16). With this padding rule, we save at least 16 bit padding and as a result the hash function may be faster (since we can save sometimes one compression function invocation which is significant for short messages) than usual Merkle’s padding rule. So, there are some applications where this padding rules are practically useful. Note that with s = 16, we can pad any message of arbitrary length. If we know that the message size can be large then s = 32 a reasonable choice. Remark 2. Instead of padding length of the message, one can pad the number of message blocks. The padding rule capturing this notion is defined as follows: padlength (M ) = M  10d  0  p1  1  p2  1  · · ·  p

Characterizing Padding Rules of MD Hash Functions

179

where χs−1 ( |M| b ) = p1  · · · p−1 p and d is the smallest non-negative integer such that (d + 1 + |M | + s) is multiple of b. This variant actually pads the number of blocks of the message M instead of length of the message. In terms of order, both padding rule needs O(log |M |) many bits. However, in most cases of message sizes, the later needs less number of padding bits. 3.3

A Necessary Condition for Collision-Preserving Padding Rule

We have shown that any suffix-free property is good for collision-preserving. Now we show that it is also a necessary condition. To show this let us fix a padding rule pad which is not suffix-free. Therefore, we also fix M  = M  such  that pad(M ) is a suffix of pad(M ). We can do so since we assume that padding rule is simply defined function and hence it must be easy to find such a pair. Now we first construct a compression function f given a collision secure compression f function f  such that (M, M  ) is a collision pair of Hpad . Then we prove that finding collision of f given M and M  and the oracle f is as hard as finding collision of f  . This proves that suffix-free padding rule is necessary to have a collision-preserving MD hash function for any compression function and for any initial value. Theorem 2. Suffix-free is necessary condition Let pad be a fixed padding rule which is not suffix-free. Now, given a collision resistant compression function f  there is a collision resistant compression function f . Moreover, the Merkle-Damg˚ ard hash function based on f with the padding rule pad is not collision resistant (by providing a collision pair of it). Proof. Let us assume that there is a (t − 1)-bit collision resistant compression function f  : {0, 1}b+t → {0, 1}t−1, otherwise the question is moot. Without loss of generality, let the last bit of IV is 1. We have fixed a pair (M, M  ) such that pad(M ) is a suffix of pad(M  ). Let pad(M  ) = (X, m)pad(M ), m ∈ {0, 1}b and X ∈ ({0, 1}b)∗ . For simplicity we first assume that X = λ. Define   f (x)  0 if x  = IVm f (x) = IV if x = IVm f Thus, f (IV, m) = IV, a fixed point for f . Now it is easy to see that Hpad (M ) =

f Hpad (M  ). Now we have to show that f is collision resistant. Suppose there exists a collision finding algorithm A which finds collision for f . Let x  = x such   that f (x) = f (x ) where A returns the collision pair (x, x ). Now, it is easy to check that (x, x ) is a collision pair of f  too. Since we do not know any collision algorithm for f  , f must be collision resistant. Now consider the case where X ∈ ({0, 1}b)+ . We first define f(x) = f  (x)0 + and compute IV = fIV (X). Note that the last bit of IV is 0 and hence it is different from IV. Since f  is a collision resistant compression function, IV should be different from all other intermediate values in the computation of + fIV (X). Otherwise, we will be able to find collision of f  easily. We define

180

M. Nandi

 f (x) =

f  (x)  0 if x  = IV m IV if x = IV m

So, f (x) and f(x) are same whenever x  = IV m. Since IV is different from all + + other intermediate values in the computation of fIV (X), we must have fIV (X) = f + fIV (X) = IV. Now we can show that (M, M  ) is a collision pair of Hpad . Note f + + + that, Hpad (M  ) = fIV (X, m, pad(M )) = fIV  (m, pad(M )) = fIV (pad(M )) =

f f f Hpad (M ). Hence Hpad (M ) = Hpad (M  ). Now we show that the compression function f is also collision resistant. Suppose not, x  = x and f (x) = f (x )      then clearly f (x) = f (x ) if x, x  = IV m. Moreover x or x can not be IV m otherwise the last bits of f (x) and f (x ) will be different. Hence f is collision resistant as long as f  is collision resistant. The collision pair (M, M  ) also does not help to find a collision since M and M  are efficiently computable and we can use M and M  for any collision finding algorithm for f  . 

4

Length Padding is Redundant for a Variant of MD

In this section, we prove that the length padding is unnecessary if we use a small variant of Merkle-Damg˚ ard hash function and the underlying compression function is little more secure than collision resistant. We define the variant of the Merkle-Damg˚ ard hash function as follows.

Algorithm 1. A Variant of Merkle-Damg˚ ard Hash Function Require: f : {0, 1}t × {0, 1}b → {0, 1}t , M ∈ {0, 1}∗ . 1: d is the remainder when we divide t − |M | − 1 by t. 2: partition M 10d = M1  · · · M , M1 , · · · , M ∈ {0, 1}b 3: h0 = 0t 4: for i = 1 to  do 5: hi = f (hi−1 , Mi ) 6: if hi = 0t then 7: hi = 0t−1 1 8: end if 9: end for 10: return h .

We simply apply MD hash function with pad0 padding and with a checking in internal chaining value. If we ever come up with 0t as a chaining value then we simply change the chaining value into 0t−1 1. So we can think that it is MD hash function based on a compression function f  defined below.  f (x) if f (x)  = 0t f  (x) = t−1 0 1 if f (x) = 0t Note that 0 = 0t is also the initial value of the Merkle-Damg˚ ard hash function.   Suppose MDf0 (M ) = MDf0 (M ) with M  = M  . Then by using simple backward

Characterizing Padding Rules of MD Hash Functions

181

induction on the padded messages, we can prove that either there is a collision of f  or there is a message x ∈ {0, 1}b+t such that f  (x) = 0. By definition of f  , there does not exist any such x. If (x, x ) is a collision pair of f  then either it is also a collision for f or f (x) = 0t and f (x ) = 0t−1 1. So either we have a collision of f or we have collision on the first (t − 1) bits of f with the collision value 0t−1 . Clearly, satisfying the second condition seems much harder than finding collision for any reasonable practical construction of a compression function. Thus, we have proved the following theorem. Theorem 3. Suppose it is hard to find collision of f or it is hard to find X0 and X1 such that f (X0 ) = 0t and f (X1 ) = 0t−1 1 then the hash function based on f defined in Algorithm 2. is collision resistant. Corollary 1. Suppose it is hard to find collision on the first (t − 1)-bits of a compression function f then the hash function based on f defined in Algorithm 2. is collision resistant. Remark 3. In the last section, we have proved that the suffix-free padding is necessary to preserve collision security for MD hash function. To do so, we provide a pathological example of the underlying compression function (easy to get the initial value 0t even though it is collision secure). On the contrary, in this section, we show that any injective padding rule, not necessarily suffix-free, is sufficient to have collision security. Actually, we make sure that the pathological case does not appear by imposing the if condition (see step-6 of the Algorithm 2.). This is the main reason, we do not contradict each other. Moreover, the variant actually do not preserve collision security according to the definition 1. But, it says that if we have little more security of the underlying compression function than collision security, then the hash function is collision secure. The additional security assumption seems to hold for any known practical secure hash function.

5

Three-Property Preserving Hash Function

Now we consider salted hash function which outputs the hash value with a salt K ∈ {0, 1}s which is chosen randomly and keep it public (unlike message authentication code, hash function should be publicly computable). We denote the salted hash function as HK (·) where K is the salt. We define three basic securities of a hash function for a salted hash function. These are collision, preimage and second-preimage and its corresponding advantages of adversaries is defined as   Advcoll = M ] H (A1 ) = Pr[A1 (K) → (M, M ) : HK (M ) = HK (M ), M 

  Adv2PI = M ] H (A3 ) = Pr[A3 (K, M ) → M : HK (M ) = HK (M ), M  PI AdvH (A2 ) = Pr[A(K, z) → M : HK (M ) = z]

where probabilities are computed over the internal randomness of the adversaries, uniform distribution of K, z and M chosen from {0, 1}s , {0, 1}t, and

182

M. Nandi

Algorithm 2. A Variant of Merkle-Damg˚ ard Hash Function BCMfpad0 Require: f : {0, 1}t × {0, 1}b → {0, 1}t and M ∈ {0, 1}∗ . 1: d is the remainder when we divide t − |M | − 1 by t. 2: partition M 10d = M1  · · · M , M1 , · · · , M ∈ {0, 1}b 3: h0 = 0t 4: for i = 1 to  do 5: if i =  then 6: h = f (h−1 ⊕ K, M ) 7: else 8: hi = f (hi−1 ⊕ Mi+1 [t], Mi ) \\ X[t] represents the first t-bits of X. 9: end if 10: if hi = 0t then 11: hi = 0t−1 1 12: end if 13: end for 14: return h .

{0, 1} for some , respectively. Now we define a variant of BCM [1] (backward chaining mode) which is simpler and needs less salt size. Recall that BCM uses the padding rule padmerk and its salt size is b + 2t. In this paper, we use salt of size t only. We denote the hash function as BCMfpad0 since it uses the simplest injective padding rule pad0 . One may use some other padding rules. A hash family H := {HK }K∈{0,1}s based on a compression function f is said to almost preserve (,  )-collision security if given an efficient algorithm A with at least  collision advantage for HK , we can construct (write down its code modulo the subroutine A) an efficient algorithm A with at least  collision advantage for f  (the first t − 1 bits of f ). Similarly, we define for the other two security notions (2nd) preimage. The proof of the following theorem is given in the full version of the paper and it hash similarity with proof given in [1]. Theorem 4. BCMpad0 almost preserve (, )-collision, (2nd) preimage security. The preimage preserving is trivial since inverting BCMpad0 reduces to inverting the compression function by looking at the last invocation of the compression function. Note that preimage attacker for hash function and preimage attacker for compression function receives a target image which is uniformly distributed. The proof for second preimage is very much similar to the security proof for three property preserving hash function in [1] combined with the collision preserving security analysis for MD hash function with padding rule pad0 . We provide more details to the full version of the paper.

6

Conclusion

We study padding rules in different aspects which is very essential for designing hash function. Appending 1 followed by a suitable size sequence of 0 and binary

Characterizing Padding Rules of MD Hash Functions

183

representation of length is a very standard way to have padding for hash function. But, this padding rule can only be applied for messages of size at most some specified large value. Both for theoretical and practical point of views, we can look for padding rules which can handle arbitrary messages. Padding rules by Damgard and Sarkar are some known examples for this. Here we have shown that suffix-free padding rule is sufficient to preserve collision resistant and as a result we construct a simple padding rule which is more efficient than padding rules both by Damgard and Sarkar. We have also proved that suffix is a necessary condition preserving collision security. Thus, it would be interesting to see that whether padding rule is optimum or not. So we propose the following open problem. Open Problem: Try to find suffix-free padding rule which needs less than logarithm number of bits. On the other hand, we can try to prove that asymptotically any suffix-free padding rule needs at least logarithm number of bits. We believe that the second option is more feasible. We also have shown that the simplest padding such as padding 10d only can be sufficient for collision preserving property if we restrict collision resistant assumption of the underlying compression function for the first (t−1) bits. Thus, the simplest Merkle-Damg˚ ard hash function becomes collision resistant which does not have any overhead costs due to length of the message. We also study a simple variant of MD hash function which preserves collision resistance, second preimage as well as preimage resistance. Thus we believe that padding length is not needed if we choose initial value properly.

References 1. Andreeva, E., Preneel, B.: A Three-Property-Preserving Hash Function. To appear in: Selected Areas in Cryptography (2008) 2. Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997) 3. Bellare, M., Rogaway, P.: Introduction to Modern Cryptography, http://www-cse.ucsd.edu/~ mihir/cse207/classnotes.html 4. Shoup, V.: Using Hash Functions as a Hedge against Chosen Ciphertext Attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 275–288. Springer, Heidelberg (2000) 5. Damg˚ ard, I.B.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990) 6. Damg˚ ard, I.B.: Collision Free Hash Functions and Public Key Signature Schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203– 216. Springer, Heidelberg (1988) 7. Gibson, J.K.: Discrete logarithm hash function that is collision free and one-way. IEE Proceedings-E 138, 407–410 (1991) 8. Don., B.J.: Improving Hash Function Padding. NIST hash workshop (2005), http://csrc.nist.gov/groups/ST/hash/documents/Johnson_Padding.pdf

184

M. Nandi

9. Kelsey, J., Schneier, B.: Second Preimages on n-bit Hash Functions for Much Less than 2n Work. Cryptology ePrint Archive (2004), http://eprint.iacr.org/2004/304 10. Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990) 11. Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, pp. 33–43. ACM Press, New York (1989) 12. NIST/NSA. FIPS 180-2 Secure Hash Standard (August 2002), http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 13. Rogaway, P.: Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys. Eprint archive (2006), http://eprint.iacr.org/2006/281.pdf 14. Rogaway, P., Shrimpton, T.: Cryptographic Hash Function Basics: Definitions, Implications, and Separations for Pre-image Resistance, Second Pre-image Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004) 15. Sarkar, P.: Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgard Iteration. Discrete Applied Mathematics 157(5), 1086–1097 (2009) 16. Stinson, D.R.: Cryptography: Theory and Practice, 2nd edn. CRC Press, Inc., Boca Raton 17. Stinson, D.R.: Some observations on the theory of cryptographic hash functions. ePrint Archive Report (2001), http://eprint.iacr.org/2001/020/

Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256 Hongbo Yu1 and Xiaoyun Wang2, 1

Center for Advanced Study, Tsinghua University, Beijing 100084, China [email protected] 2 Tsinghua University and Shandong University, China [email protected], [email protected]

Abstract. In this paper, we present the first distinguishing attack on the LPMAC based on step-reduced SHA-256. The LPMAC is the abbreviation of the secret-prefix MAC with the length prepended to the message before hashing and it’s a more secure version of the secretprefix MAC. In [19], Wang et al. give the first distinguishing attack on HMAC/NMAC-MD5 without the related key, then they improve the techniques to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [23]. In this paper, we utilize the techniques in [23] combined with our differential path on step-reduced SHA-256 to distinguishing the LPMAC based on 39-step SHA-256 from the LPMAC with a random function. The complexity of our attack is about 2184.5 MAC queries. Keywords: SHA-256, distinguishing attack, MAC.

1

Introduction

Hash function play an important role in modern cryptography. One main application of their use is for the message authentication. A message authentication code (MAC) is a function which takes a message and a secret key as inputs and produces an output called an authentication tag. Three earlier MACs based on hash functions are constructed by the secret prefix method , secret suffix method and envelope method . The two other popular MACs based on the existing hash functions are MDx-MAC [13] and HMAC/NMAC [2]. Recent years, cryptanalysis on hash function MDx-family and SHA-family has been extensively studied. The attacks on hash functions [5,20,21,22,24,25,27,3] have shown that the prevailing hash functions such as MD4, HAVAL, MD5, SHA0, SHA-1 are not collision resistant. Therefore research on the MACs based on 

Supported by 973 Project(No.2007CB807902), 863 Project(No.2006AA01Z420) and the National Natural Science Foundation of China(NSFC Grant No.60803125).

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 185–201, 2009. c Springer-Verlag Berlin Heidelberg 2009 

186

H. Yu and X. Wang

those hash functions has become a hot topic. There are three kinds of attacks on MACs: distinguishing attack, forgery attack and key-recovery attack. In [9], Kim et al. defined two kinds of distinguishing attack on the hash-based MACs, named distinguishing-R and distinguishing-H attacks. The distinguishing-R attacks means distinguishing a MAC with a random function, and distinguishing-H attack checks an instantiated MAC (in which is embedded a specific hash function) from a MAC with a random function. The distinguishing-R attack is useful when the cryptanalyst wants to check whether output strings are produced from a specific MAC algorithm or a random function, while the distinguishingH attack is to check which cryptographic hash is embedded in a specific MAC algorithm (in this case, the cryptanalyst somehow already knew that the output producing MAC algorithm, for instance, using the distinguishing-R attack, but does not know the underlying hash function). For a MAC based on an iterated compression function, the distinguishing-R attack requires about 2n/2 messages queries by the birthday paradox [13], where n is the length of the MAC output. But for the distinguishing-H attack, it has no constraint of 2n/2 message queries because there does not exist a general attack based on the birthday paradox which distinguishing a MAC with existing hash functions from a MAC with a random function. So the idea complexity for the distinguishing-H attack should be the exhaustive attack. In this paper, we only focus on the distinguishing-H attack. For simplicity, we call it as distinguishing attack. Most of the attacks on hash-based MACs make use of collision or near-collision differential path for the underlying compression function with probability higher than 2−n . For MD4, HAVAL and SHA-0, it’s easy to find the differential paths with high probability [20,26,22,3], so the distinguishing, forgery and key-recovery (or partial key recovery) attacks can be implemented successfully [4,6,18]. For MD5, the only differential path with high probability is the pseudo-collision differential found by den Boer and Bosselaers [1], and we call it as a dBB difference which consists of different IVs and the same massage. So the previous attacks on MD5 are all in related key setting [4,6,18,16]. For the MACs based on the SHA-1, distinguishing, forgery and partial or full key recovery attacks on NMAC/HMAC-SHA-1 with a reduced number of steps (up to 62 out of 80) are given in [16]. For the SHA-2, the first studies on the unmodified SHA-2 is given by Mendel et al. [10], which give a 18-step collision and a 22-step pseudo-nearcollision for SHA-256. A series of analysis results on the step-reduced SHA-2 can be obtained in [14,11,8,15] subsequently. Recently, Wang et al. give the first distinguishing attack on HMAC and NMAC based on MD5 without related key in Eurocrypt 2009 [19]. They use a distinguisher with a pair of two-block messages, the first block is used to guarantee the appearance of the dBB difference by the birthday attack and the second block uses a dBB difference to make a collision. The aims of their distinguishing is to detect a dBB-collision from other types of collisions. Furthermore in FSE 2009 [23], Wang et al. improve their techniques to distinguish the LPMAC based on 61-step SHA-1. The distinguisher also consists of a pair of two-block messages, the first 960 bits of the messages are used to ensure the emergence of a specific

Distinguishing Attack on the Secret-Prefix MAC

187

difference in the 14-th step of the second block, and the last 64 bits are used to ensure the establishment of the 34-step differential path. Because the outputs of the first block are unknown, it’s more complex to detect the specific difference than that of MD5 and it requires that the probability of last 34-step differential path is higher than 2−n/4 where n is the length of the MAC output. In this paper, we apply the distinguishing techniques of Wang’s [23] to the LPMAC based on step-reduced SHA-256. We find a 25-step differential path of SHA-256 with probability 2−41 . Based on it, we can distinguish a LPMAC based on 39-step SHA-256 with a LPMAC from a random function with complexity 2184.5 . The difficulty of our attack is to deal with a large number of linear message equations because of the non-linear message expansion of SHA-256. This paper is organized as follows. In section 2, we define some notations and give a brief description of SHA-256 and LPMAC. In section 3, we give an overview of Wang et al.’s distinguishing attack on SHA-1. In section 4, we describe our distinguishing attack on the LPMAC based on 39-step SHA-2. Finally we conclude the paper in section 5.

2

Backgrounds and Definitions

In this section, we define some notations used in this paper, and give a brief description of the hash function SHA-256 and the secret-prefix MAC. 2.1

Notations

xy : concatenation of the two bitstrings x and y xi,j : the j-th bit of xi , where xi is a 32-bit word and xi,32 is the most significant bit +,− : addition and subtration modular 232 ∧,∨,⊕ : bitwise AND, OR, and exclusive OR Δx : the XOR difference x ⊕ x Δ− x : the integer modular subtration difference x − x , where x and x are two 32-bit words S n : right-rotation by n-bit Rn : right-shift by n-bit 2.2

Description of SHA-256

The SHA-2 family was standardized by NIST in 2002 [12]. It consists of the hash functions SHA-256, SHA-224, SHA-512 and SHA-384. For our purpose attack, here we only describe SHA-256. SHA-256 is an iterated cryptographic hash function based on compression function which takes a message of length less than 264 and produces a 256bit hash value. The compression function takes a 256-bit chaining value Hi = (a0 , b0 , c0 , d0 , e0 , f0 , g0 , h0 ) and a 512-bit message block M i as inputs and outputs another 256-bit chaining value Hi+1 . The final chaining value is the hash value by iterating over all the message blocks.

188

H. Yu and X. Wang

Each 512-bit block of the padded message M i is divided into sixteen 32-bit words which are denoted as m0 , m1 , ..., m15 . The message words are expanded to sixty-four 32-bit words w0 , w1 ,..., w63 :  wj =

mj , 0 ≤ j ≤ 15; σ1 (wj−2 ) + wj−7 + σ0 (wj−15 ) + wj−16 , 16 ≤ j ≤ 63.

The compression function of SHA-256 consists of 4 rounds and each involves 16 steps, which is defined as follows: – Input: sixty-four 32-bit words w0 , w1 ,...,w63 and a 160-bit chaining value Hi = (a0 , b0 , c0 , d0 , e0 , f0 , g0 , h0 ). – Step update: for j = 1 to 64, T1 = hj−1 + Σ1 (ej−1 ) + Ch(ej−1 , fj−1 , gj−1 ) + kj−1 + wj−1 T2 = Σ0 (aj−1 ) + M aj(aj−1 , bj−1 , cj−1 ) aj = T1 + T2 bj = aj−1 cj = bj−1 dj = cj−1 ej = dj−1 + T1 fj = ej−1 gj = fj−1 hj = gj−1 – Output: Hi+1 = (a0 + a64 , b0 + b64 , c0 + c64 , d0 + d64 , e0 + e64 , f0 + f64 , g0 + g64 , h0 + h64 ). The Boolean functions Ch(x, y, z) and M aj(x, y, z) employed in the SHA-256 are defined as follows: Ch(x, y, z) = (x ∧ y) ⊕ (¬x ∧ z) M aj(x, y, z) = (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z) The functions Σ0 (x), Σ1 (x), σ0 (x) and σ1 (x) are defined as follows: Σ0 (x) = S 2 (x) ⊕ S 13 (x) ⊕ S 22 (x) Σ1 (x) = S 6 (x) ⊕ S 11 (x) ⊕ S 25 (x) σ0 (x) = S 7 (x) ⊕ S 18 (x) ⊕ R3 (x) σ1 (x) = S 17 (x) ⊕ S 19 (x) ⊕ R10 (x) The constants kj in each step can be referred to [12].

Distinguishing Attack on the Secret-Prefix MAC

2.3

189

Secret-Prefix MAC and LPMAC

The secret prefix method consists of prepending a secret key k to the message M before the hashing operation: M AC(M ) = h(kM ) for h an unkeyed hash function. If the key consists of (maybe padded) a complete block, this corresponds to a hash function with a secret IV. This method was suggested for MD4 independently by Tsudik [17] and by the Internet Security and Privacy Working Group for use in the Simple Network Management Protocol (SNMP) [7]. But this kind of MAC is insecure: a single text-MAC pair contains information essentially equivalent to the secret key, independent of its size. An attacker may append any blocks to the message and update the MAC accordingly, using the old MAC as the initial chaining variable. An countermeasure for this type of attack was proposed by prepending the length of the unpadded message before hashing [17]. We denoted this type of MAC as LP M ACk (M ) = h(klengthM), where M is the padded message of M . Suppose that klength consists of a complete block. The padding method we selected for the LPMAC in this paper is: if the length of M is the multiple of 512 bits, it no need to pad; Otherwise, appending minimum number of zeros to make a whole number of blocks.

3

Overview of Wang et al.’s Distinguishing Attack on the LPMAC Based on 61-Step SHA-1[23]

The distinguishing attack for the LPMAC based on step-reduced SHA-1 in [23] utilized a 47-step differential path P of SHA-1 from step 15 to 61 with probability 2−34 (See Table 2 of [23]). The basic idea of Wang et.al ’s technique in [23] is to detect a specific difference which consists of a two-block message pair (xyz, x y  z  ), where x and x are one-block messages, y and y  are 448-bit (14 words) messages of the second block, z and z  are the remaining 64-bit messages, Δy = y  ⊕y and Δz = z  ⊕z are the fixed differences which are determined by the differential path P . Let cv and cv  denote the output values after the first block of LP M ACk (xyz) and LP M ACk (x y  z  ), and chi and chi denote the outputs after step i of the second block respectively. Then the specific difference satisfies the following conditions: 1. The XOR difference Δch14 = ch14 ⊕ ch14 is a fixed difference determined in advance and ch14 satisfies 9 fixed conditions. 2. The outputs of the message pair (xyz, x y  z  ) satisfies LP M ACk (x y  z  ) − LP M ACk (xyz) = δ1 + δ2

(1)

where δ1 = cv  − cv and δ2 = ch61 − ch61 . For the random message pair (xyz, x y  z  ), the condition 1 holds with probability 2−169 . Under the condition 1, if the LPMAC is based on 61-step SHA-1, the condition 2 holds with probability 2−34 . Otherwise, if the LPMAC is based

190

H. Yu and X. Wang

on a random function, the condition 2 is satisfied with the average probability 2−160 . Because the output difference δ1 of the first block is unknown, the specific difference can not be detected similar as the distinguishing attack on HMAC/NMACMD5 in [19]. So it needs another two 64-bit messages z1 and z1 = z1 + Δz that also satisfy LP M ACk (x y  z1 ) − LP M ACk (xyz1 ) = δ1 + δ2

(2)

Combine the equations (1) and (2), we can get LP M ACk (x y  z1 ) − LP M ACk (x y  z  ) = LP M ACk (xyz1 ) − LP M ACk (xyz)

(3)

So if the LPMAC is based on 61-step SHA-1, the message quadruple (xyz, xyz1 , x y  z  , x y  z1 ) satisfies the equation (3) with probability 2−68 under the condition 1 ; Otherwise, the equation (3) holds with probability 2−160 . According to this probability advantage, the main idea of the distinguishing attack in [23] is summarized as follows: Choose about 268 sets Si randomly and each consists of 284.5 different oneblock messages. For each message x ∈ Si (0 ≤ i ≤ 268 ), query the MACs with xyz, xyz1 , xy  z  and xy  z1 where yz, yz1 , y  z  and y  z1 are four fixed messages and compute the following two structures of differences Si,1 = {LP M ACk (xyz1 ) − LP M ACk (xyz)|x ∈ Si }, Si,2 = {LP M ACk (xy  z1 ) − LP M ACk (xy  z  )|x ∈ Si }. Find all the collisions (x, x ) in Si,1 and Si,2 (0 ≤ i ≤ 268 ) so that the equation (3) holds. The total number of MAC queries are about 2154.5 . It expects about 268 collisions where each set contains one collision on average. For each collision pair (x, x ), do: – Compute δ = LP M ACk (x y  z  ) − LP M ACk (xyz). – Replace the fixed message pair (z, z  ) with 234 different 64-bit message pairs (z, z  ) where each yz also satisfies the fix message conditions and z  = z+Δz. Query all the 234 message pairs (xyz, x y  z  ) and get their MACs. For each message pair, compute δ = LP M ACk (x y  z  )−LP M ACk (xyz) and compare δ to δ. Once a δ is found so that δ = δ, then conclude that the target MAC is a LPMAC based on 61-step SHA-1; Otherwise, conclude that the MAC is LPMAC based on a random function. The complexity of the distinguishing attack is about 2154.5 .

Distinguishing Attack on the Secret-Prefix MAC

4

191

Distinguishing Attack on the LPMAC Based on 39-Step SHA-256

In this section, we apply the distinguisher in [23] to distinguish the LPMAC based on 39-step SHA-256. The key step for our attack is to find a specific differential path P1 of 39-step SHA-256 which is shown in Table 3. The differential path in Table 3 can be divided into two parts: steps 1 ∼ 14 and steps 15 ∼ 39. For the first part, we neglect the exact output differences in the first 13 steps and only focus on the output difference after step 14 which serves as the input of the the second part. The differential path of second part from steps 15 to 39 is a pseudo-near-collision differential path with probability 2−41 . The pseudo-near-collision for the compression function can be defined as follows: Definition. We say that (h, x) and (h , x ) is a pseudo-near-collision for the compression function f : {0, 1}n × {0, 1}m → {0, 1}n, if the Hamming distance   between f (h, x) and f (h , x ) is small (typically, a few bits) and (h, x)  = (h , x ). The distinguisher for the LPMAC based on 39-step SHA-1 also consists of a two block messages pair (xyz, x y  z  ), where x and x are one-block messages, y and y  are 448-bit truncated messages of the second block, z and z  are the remaining 64-bit messages, and the difference Δy = y ⊕ y  and Δz = z ⊕ z  are determined by the path P1 . The purpose of our attack is to distinguish the output difference occurred after step 14 of the second block. 4.1

The Specific Differential Path for 39-Step SHA-256

The message difference ΔM = M ⊕ M  = (Δm0 , ..., Δm15 ) for the 39-step SHA256 is selected are as follows (See Table 1): Table 1. The message difference Δm0 ∼ Δm3 Δm4 ∼ Δm7 Δm8 ∼ Δm11 Δm12 ∼ Δm15

0x92844891 0x55410245 0x12022882 0x0a020000

0x50824014 0xa1114484 0x00104011 0x11002000

0x84521222 0x4a901104 0x90904111 0x04444441 0x00880080 0x81544280 0x80000000 0

 Let W = (w0 , w1 , ..., w38 ) and W  = (w0 , w1 , ..., w38 ) be the expanded message   of M and M respectively. To make Δwi = wi ⊕ wi (16 ≤ i ≤ 38) meet the fixed message differences in Table 3, i.e.,

Δwi = 0, 16 ≤ i ≤ 37, i  = 23, Δw23 = 0x80000000, Δ− w38 = 213 + 224 + 228 , we need to deduce a group of sufficient conditions on message W . For example, according to the message expansion algorithm of SHA-256, w16 = w0 + σ0 (w1 ) + w9 + σ1 (w14 ),   w16 = w0 + σ0 (w1 ) + w9 + σ1 (w14 ).

192

H. Yu and X. Wang

Let Δw16 = 0, then  w0 + σ0 (w1 ) + w9 + σ1 (w14 ) = w0 + σ0 (w1 ) + w9 + σ1 (w14 )

(4)

From the XOR difference Δσ0 (w1 ) = σ0 (Δw1 ) = σ0 (0x50824014) = 0xb2b458a2, Δσ1 (w14 ) = σ1 (Δw14 ) = σ1 (0x8000000) = 0x00205000, Δw0 = 0x92844891, Δw9 = 0x00104011, we can deduce a set of sufficient conditions to guarantee the equation (4) hold: ⎧ w9,1 = w0,1 , ⎪ ⎪ ⎪ ⎪ σ0 (w1 )2 = w0,1 ⊕ 1, ⎪ ⎪ ⎪w = w , ⎪ 9,5 0,5 ⎪ ⎪ ⎪ ⎪ ⎪ σ0 (w1 )6 = w0,5 ⊕ 1, ⎪ ⎪ ⎪ σ0 (w1 )8 = w0,8 ⊕ 1, ⎪ ⎪ ⎪ ⎪ σ0 (w1 )12 = w0,12 ⊕ 1, ⎪ ⎪ ⎪ ⎪ σ0 (w1 )13 = σ1 (w14 )13 ⊕ 1, ⎪ ⎪ ⎨ σ0 (w1 )15 = σ1 (w14 )15 ⊕ 1, w9,15 = w0,15 ⊕ 1, ⎪ ⎪ ⎪ ⎪ σ0 (w1 )19 = w0,19 ⊕ 1, ⎪ ⎪ ⎪ ⎪ ⎪ σ0 (w1 )21 = w0,21 ⊕ 1, ⎪ ⎪ ⎪ ⎪ σ0 (w1 )22 = σ1 (w14 )22 ⊕ 1, ⎪ ⎪ ⎪ ⎪ ⎪ σ0 (w1 )24 = w0,24 ⊕ 1, ⎪ ⎪ ⎪ σ0 (w1 )26 = w0,26 ⊕ 1, ⎪ ⎪ ⎪ ⎪ σ (w ) = w0,29 , ⎪ ⎩ 0 1 29 σ0 (w1 )30 = w0,29 ⊕ 1.

(5)

Because σ0 (x) = S 7 (x)⊕S 18 (x)⊕R3 (x) and σ1 (x) = S 17 (x)⊕S 19 (x)⊕R10 (x), then the j-the bit of σ0 (x) and σ1 (x) can be expressed as  σ0 (x)j =

 σ1 (x)j =

x(j+7)mod32 ⊕ x(j+18)mod32 ⊕ x(j+3)mod32 , 1 ≤ j ≤ 29, x(j+7)mod32 ⊕ x(j+18)mod32 , 30 ≤ j ≤ 32.

x(j+17)mod32 ⊕ x(j+19)mod32 ⊕ x(j+10)mod32 , 1 ≤ j ≤ 22, x(j+17)mod32 ⊕ x(j+19)mod32 , 23 ≤ j ≤ 32.

Take σ0 (x)j and σ1 (x)j into the equation system (5) and arrange the items in each equation from the higher bit to lower bit, we can get a group of message equations:

Distinguishing Attack on the Secret-Prefix MAC

193

⎧ w1,16 = w1,5 ⊕ w0,29 ⊕ 1, ⎪ ⎪ ⎪w ⎪ 1,20 = w1,9 ⊕ w1,5 ⊕ w0,1 ⊕ 1, ⎪ ⎪ ⎪ ⎪ w1,22 = w1,15 ⊕ w1,11 ⊕ w1,5 ⊕ w0,8 ⊕ w0,19 , ⎪ ⎪ ⎪ ⎪ w1,24 = w1,13 ⊕ w1,9 ⊕ w0,5 ⊕ 1, ⎪ ⎪ ⎪ ⎪ w1,26 = w1,15 ⊕ ⊕w1,11 ⊕ w0,8 ⊕ 1, ⎪ ⎪ ⎪ ⎪ w1,29 = w1,12 ⊕ w1,1 ⊕ w0,26 ⊕ 1, ⎪ ⎪ ⎪ ⎪ w1,30 = w1,19 ⊕ w1,15 ⊕ w0,12 ⊕ 1, ⎪ ⎪ ⎨ w1,31 = w1,27 ⊕ w1,10 ⊕ w0,24 ⊕ 1, (6) ⎪ w1,32 = w1,15 ⊕ w1,4 ⊕ w0,29 , ⎪ ⎪ ⎪ w9,1 = w0,1 , ⎪ ⎪ ⎪ ⎪ ⎪ w9,5 = w0,5 , ⎪ ⎪ ⎪ ⎪ ⎪ w9,15 = w0,15 ⊕ 1, ⎪ ⎪ ⎪ w9,21 = w1,28 ⊕ w1,24 ⊕ w1,7 ⊕ 1, ⎪ ⎪ ⎪ ⎪ w14,25 = w14,7 ⊕ w14,9 ⊕ w14,2 ⊕ w1,29 ⊕ w1,25 ⊕ w1,22 ⊕ w1,8 ⊕ w1,1 ⊕ w1,18 , ⎪ ⎪ ⎪ ⎪ w = w14,23 ⊕ w14,9 ⊕ w14,7 ⊕ w1,31 ⊕ w1,29 ⊕ w1,25 ⊕ w1,20 ⊕ w1,16 ⊕ w1,8 , ⎪ ⎩ 14,30 w14,32 = w14,7 ⊕ w14,9 ⊕ w1,29 ⊕ w1,25 ⊕ w1,8 ⊕ 1,

For each message word difference of Δw16 ∼ Δw38 in Table 3, we can deduce a group of sufficient conditions similar to the equation system (6). There are total 150 conditions on W = (w0 , ..., w38 ) which are shown in Table 5 and 5. For the pseudo-near-collision differential path from steps 15 to 39 of Table 3, the input chaining variable difference Δch14 = ch14 ⊕ ch14 is selected as (in hexadecimal expression) (0, 22140240, 80000000, 0, 00082200, 20040000, 80000000, 4411008c), and the output difference Δ− ch39 = ch39 − ch39 is (213 + 224 + 228 , 0, 0, 0, 213 + 224 + 228 , 0, 0, 0). It’s easy to deduce the sufficient conditions on the chaining variables ch14 to ch39 according to the properties of the Boolean functions Ch and M aj. There are 25 conditions in ch14 and 41 conditions in ch15 ∼ ch39 altogether (See Table 4), and each condition can be fulfilled with probability 1/2. So if the 25 sufficient conditions in ch14 and 150 conditions in message words w0 ∼ w38 are fulfilled, the differential path from steps 15 to 39 in Table 3 holds with probability 2−41 . It deserves to note that we use the XOR difference in the first 38 steps in Table 3, and use the integer modular subtration difference in the last step (step 39). 4.2

The Distinguishing Algorithm on LPMAC from 39-Step SHA-256

In this section, we give the distinguishing attack on the LPMAC based on 39step SHA-2 utilizing the technique in [23] combined with our new differential path. The first step of our attack is to select four fixed one-block messages yz, yz1 , y  z  , and y  z1 which satisfy

194

H. Yu and X. Wang

– The messages yz and yz1 satisfies the 150 message conditions in Table 5 and 5. – Δy = y  ⊕ y and Δz = z  ⊕ z = z1 ⊕ z1 , ΔyΔz are the target message differences in Table 1. The purpose of our attack is to find a 512-bit message pair (x, x ) so that the message quadruple (xyz, xyz1, x y  z  , x y  z1 ) satisfy the following two conditions: 1. Let ch14 and ch14 denote the 14-th step outputs of the second block of LP M ACk (xyz) and LP M ACk (x y  z  ) respectively. Δch14 satisfies the target input difference of step 14 in Table 3 and ch14 satisfies the 25 sufficient conditions in Table 4. 2. The LPMACs of the message quadruple satisfy the equation LP M ACk (xyz1 ) − LP M ACk (xyz) = LP M ACk (x y  z1 ) − LP M ACk (x y  z  ) We call the message pair (x, x ) that satisfies the condition 1 and 2 above as a W-Collision. For a random one-block message pair (x, x ), the condition 1 above is satisfied with probability 2−256 × 2−25 = 2−281 . If the LPMAC is based on 39-step SHA256, the condition 2 can be satisfied when the two message pairs (xyz, xy z  ) and (xyz1 , xy  z1 ) both follow the differential path from step 15 to 39 in Table 3, and the probability is 2−82 ; Otherwise, if the LPMAC is based on a random function, the condition 2 holds with the average probability 2−256 . Overall, if the MAC is a LPMAC based on 39-step SHA-256, the messages quadruple (xyz, xyz1, x y  z  , x y  z1 ) satisfy the condition 1 and 2 with probability 2−281 × 2−82 = 2−363 , i.e., (x, x ) consists of a W-Collision with probability 2−363 . Then the distinguishing algorithm for the LPMAC based on 39-step SHA-256 can be described as follows: 1. Generate a message set S randomly, which consist of 2182.5 one-block messages. For each x ∈ S, query the MACs with xyz, xy  z  , xyz1 and xy  z  respectively, and compute the following two sets of differences: S1 = {LP M ACk (xyz1 ) − LP M ACk (xyz)|x ∈ S}, S2 = {LP M ACk (xy  z1 ) − LP M ACk (xy  z  )|x ∈ S}. Find all the collisions (x, x ) between the sets S1 and S2 by the birthday attack so that LP M ACk (xyz1 ) − LP M ACk (xyz) = LP M ACk (x y  z1 ) − LP M ACk (x y  z  ). The set of all collisions is recorded as S3 .

Distinguishing Attack on the Secret-Prefix MAC

195

2. For each collision (x, x ) ∈ S3 , compute LP M ACk (x y  z  ) − LP M ACk (xyz) and denote it as δ. Choose 242 different 64-bit messages pairs (z, z  ) so that (yz, y  z  ) satisfy the message differences in Table 3 and yz satisfy the message conditions in Table 5 and 5. Query the MACs of all the 242 message pairs (x y  z  , xyz) and observe whether LP M ACk (x y  z  ) − LP M ACk (xyz) is equivalent to δ. 3. Once a pair (z, z  ) are found to match the difference δ, we conclude that the LPMAC is based on 39-step SHA-256; Otherwise, output the MAC is LPMAC based on a random function. Complexity evaluation In step 1, the number of queries is 2184.5 for all the 2182.5 messages. In addition, it needs a table look up with the table size 2182.5 . For the 2182.5 messages, it can form about 2364 message pairs , so expected number of collisions in S3 is about 2364−256 = 2108 in which about 2364−363 = 2 W-collisions are included. In step 2, for each collision, it needs 242 message pairs to verify whether the collision is a W-collision for a reasonable success rate, so the complexity in step 2 is about 2150 MAC queries. Therefore, the total time complexity of this attack is dominant in step 1 and it’s about 2184.5 MAC queries. Success rate: We divide the success rate into two parts: – If the MAC is LPMAC based on 39-step SHA-256, the attack succeeds when we distinct a W-collision from 2108 other collisions. The probability that there exists a W-collision among 2108 collisions is: 1 2364 1 ) = 1 − 2 ≈ 0.86 2363 e The probability that the W-collision can be detected in step 3 is about 1 − (1 −

1 242 1 ) = 1 − 2 ≈ 0.86 241 e This way, if the MAC is LPMAC based on 40-step SHA-256, a W-collision can be detected with probability 0.86 × 0.86 ≈ 0.72. – If the MAC is LPMAC based on a random function, the attack succeeds when no W-collision is detected. The success probability is about: 1 − (1 −

((1 −

1 242 2108 ) ) ≈ 1. 2256

Therefore, the success rate of the whole attack is about 1 1 × 0.72 + × 1 = 0.87. 2 2 The success probability can be improved by increase the number of selected messages.

196

5

H. Yu and X. Wang

Conclusions

In this paper, we give the first distinguishing attack on the LPMAC based on 39-step SHA-256, and the attack is also applicable to the LPMAC based on stepreduced SHA-512. Our distinguishing attack on the LPMAC is not useful for the HMAC/NMAC because the non-zero output difference of the inner function is overshadowed by the outer function of HMAC/NMAC so that the W-Collision cannot be detected.

References 1. den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994) 2. Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) 3. Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998) 4. Contini, S., Yin, Y.L.: Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006) 5. Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996) 6. Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007) 7. Galvin, J.M., McCloghrie, K., Davin, J.R.: Secure management of SNMP networks. Integrated Network Management 11, 703–714 (1991) 8. Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other NonRandom Properties for Step-Reduced SHA-256. SAC 2008 (2008), http://eprint.iacr.org/2008/131.pdf 9. Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0, and SHA-1. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006) 10. Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of Step-Reduced SHA-256. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 126–143. Springer, Heidelberg (2006) 11. Nikoli´c, I., Biryukov, A.: Collisions for Step-Reduced SHA-256. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 1–16. Springer, Heidelberg (2008) 12. National Institute of Standards and Technology (NIST). FIPS- 180-2: Secure Hash Standard (August. 2002), http://www.itl.nist.gov/fipspubs/ 13. Preneel, B., Oorschot, P.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995) 14. Sanadhya, S., Sarkar, P.: New Local Collisions for the SHA-2 Hash Family. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 193–205. Springer, Heidelberg (2007)

Distinguishing Attack on the Secret-Prefix MAC

197

15. Sanadhya, S., Sarkar, P.: New Collision attacks Against Up To 24-step SHA-2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008), http://eprint.iacr.org/2008/270.pdf 16. Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-Random Properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 39–57. Springer, Heidelberg (2007) 17. Tsudik, G.: Message authentication with one-way hash functions. ACM Computer Communications Review 22(5), 29–38 (1992) 18. Wang, L., Ohta, K., Kunihiro, N.: New Key-Recovery Attacks on HMAC/NMACMD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008) 19. Wang, X.Y., Yu, H.B., Wang, W., Zhang, H.N., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Eurocrypt 2009 (to appear, 2009) 20. Wang, X.Y., Lai, X.J.: Cryptanalysis for Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005) 21. Wang, X.Y., Yu, H.B.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) 22. Wang, X.Y., Feng, D.G., Yu, X.Y.: An attack on HAVAL function HAVAL-128. Science in China Ser. F Information Sciences 48(5), 1–12 (2005) 23. Wang, X.Y., Wang, W., Jia, K.T., Wang, M.Q.: New Distinguishing Attack on MAC using Secret-Prefix Method. In: FSE 2009 (to appear, 2009) 24. Wang, X.Y., Yu, H.B., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005) 25. Wang, X.Y., Yin, Y.L., Yu, H.B.: Finding collisions on the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) 26. Yu, H.B., Wang, G.L., Zhang, G.Y., Wang, X.Y.: The Second-Preimage Attack on MD4. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 1–12. Springer, Heidelberg (2005) 27. Yu, H.B., Wang, X.Y., Yun, A., Park, S.: Cryptanalysis of the Full HAVAL with 4 and 5 Passes. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 89–110. Springer, Heidelberg (2006)

198

H. Yu and X. Wang

Appendix

Table 2. The property for the round function Ch(x, y, z) and M aj(x, y, z) of SHA-256. Δx = 1 denotes x changes from 0 to 1, Δx = −1 denotes x changes from 1 to 0. Δx 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1 -1

Δy 0 0 0 1 1 1 -1 -1 -1 0 0 0 1 1 1 -1 -1 -1 0 0 0 1 1 1 -1 -1 -1

Δz ΔCh = 0 ΔCh = 1 ΔCh = −1 ΔM aj = 0 ΔM aj = 1 ΔM aj = −1 0 1 – – 1 – – 1 x=1 x=0 – x=y x =y – -1 x = 1 – x=0 x=y – x =y 0 x=0 x=1 – x=z x =z – 1 – 1 – – 1 – -1 – x=1 x=0 1 – – 0 x=0 – x=1 x=z – x =z 1 – x=0 x=1 1 – – -1 – – 1 – – 1 0 y = z y = 1, z = 0 y = 0, z = 1 y=z y =z – 1 y=0 y=1 – – 1 – -1 y = 1 – y=0 1 – – 0 z=1 z=0 – – 1 – 1 – 1 – – 1 – -1 1 – – – 1 – 0 z=0 – z=1 1 – – 1 1 – – – 1 – -1 – – 1 – – 1 0 y = z y = 0, z = 1 y = 1, z = 0 y=z – y =z 1 y=1 y=0 – 1 – – -1 y = 0 – y=1 – – 1 0 z=0 z=1 – 1 – – 1 – 1 – – 1 – -1 1 – – – – 1 0 z=1 – z=0 – – 1 1 1 – – – – 1 -1 – – 1 – – 1

Distinguishing Attack on the Secret-Prefix MAC

199

Table 3. Differential path for the 39-step SHA-256 step Δw Δa Δb Δc Δd Δe Δf Δg Δh IV 1 92844891 2 50824014 3 84521222 4 4a901104 5 55410245 6 a1114484 7 90904111 8 04444441 9 12022882 10 00104011 11 00880080 12 81544280 13 0a020000 14 11002000 0 22140240 80000000 0 00082200 20040000 80000000 4411008c 15 80000000 0 0 22140240 80000000 0 00082200 20040000 80000000 16 0 80000000 0 0 22140240 0 0 00082200 20040000 17 0 0 80000000 0 0 02100040 0 0 00082200 18 0 0 0 80000000 0 0 02100040 0 0 19 0 0 0 0 80000000 0 0 02100040 0 20 0 0 0 0 0 80000000 0 0 02100040 21 0 0 0 0 0 0 80000000 0 0 22 0 0 0 0 0 0 0 80000000 0 23 0 0 0 0 0 0 0 0 80000000 24 80000000 0 0 0 0 0 0 0 0 25-38 0 0 0 0 0 0 0 0 0 39 213 + 224 + 228 Δ− w38 0 0 0 Δ− w38 0 0 0

200

H. Yu and X. Wang

Table 4. Sufficient conditions for steps 14 ∼ 39 on SHA-256 ch14

ch15 ch16

ch17 ch18 ∼ ch19 ch20 ∼ ch22

f14,10 = g14,10 , f14,14 = g14,14 ⊕1, f14,19 = b14,19 ⊕1, f14,20 = g14,20 , f14,30 = b14,30 ⊕1, a14,7 = c14,7 , a14,10 = c14,10 , a14,19 = c14,19 , a14,21 = c14,21 , a14,26 = c14,26 , a14,30 = c14,30 , a14,32 = b14,32 , e14,10 = b14,10 ⊕ 1, e14,14 = e14,1 ⊕ h14,8 , e14,15 = e14,1 ⊕ e14,6 ⊕ e14,2 ⊕ h14,8 ⊕ h14,27 , e14,19 = 0, e14,20 = e14,15 ⊕ e14,2 ⊕ h14,8 ⊕ 1, e14,23 = e14,9 ⊕e14,14 ⊕h14,3 ⊕e14,10 ⊕h14,17 , e14,24 = e14,5 ⊕e14,10 ⊕h14,31 ⊕1, e14,25 = e14,20 ⊕ e14,7 ⊕ e14,14 ⊕ g14,14 ⊕ 1, e14,27 = e14,14 ⊕ h14,21 ⊕ 1, e14,28 = e14,9 ⊕ e14,14 ⊕ h14,3 ⊕ 1, e14,29 = e14,10 ⊕ e14,15 ⊕ h14,4 ⊕ 1, e14,30 = 0, e14,32 = 0 a15,32 = a14,32 , a15,7 = a14,7 , a15,10 = a14,10 , a15,19 = a14,19 , a15,21 = a14,21 , a15,26 = a14,26 , a15,30 = a14,30 , e15,10 = 0, e15,14 = 0, e15,20 = 0, e15,19 = 1, e15,30 = 1 a16,32 = a16,12 ⊕ a16,23 ⊕ c15,10 , a16,23 = a16,21 ⊕ a16,12 ⊕ a16,9 ⊕ c15,10 ⊕ c15,19 , a16,21 = a16,9 ⊕ a16,11 ⊕ a16,20 ⊕ c15,30 ⊕ c15,19 , e16,7 = e15,7 , e16,10 = 0, e16,14 = 1, e16,20 = 1, e16,21 = e15,21 , e16,26 = e15,26 e17,7 = c15,7 , e17,16 = e17,21 ⊕ e17,3 ⊕ f15,10 ⊕ 1, e17,21 = c15,21 , e17,25 = e17,20 ⊕ e17,7 ⊕ f15,14 ⊕ 1, e17,26 = c15,26 , e17,31 = e17,26 ⊕ e17,13 ⊕ f15,20 ⊕ 1, a17,32 = a15,32 a18,32 = a17,32 , e18,7 = 0, e18,21 = 0, e18,26 = 0, e19,7 = 1, e19,21 = 1, e19,26 = 1, e19,32 = e18,32 e20,19 = e20,13 ⊕e20,18 ⊕e20,7 ⊕e20,5 ⊕e17,26 , e20,28 = e20,13 ⊕e20,18 ⊕e20,7 ⊕e20,14 ⊕e17,21 , e20,32 = e20,13 ⊕ e20,18 ⊕ e17,7 ⊕ 1, e21,32 = 0, e22,32 = 0

Table 5. Conditions on messages for steps 1 ∼ 39 on SHA-256 wi Conditions Numbers w1 w1,16 = w1,5 ⊕ w0,29 ⊕ 1, w1,20 = w1,9 ⊕ w1,5 ⊕ w0,1 ⊕ 1, w1,22 = w1,15 ⊕ w1,11 ⊕ w1,5 ⊕ 9 w0,8 ⊕ w0,19 , w1,24 = w1,13 ⊕ w1,9 ⊕ w0,5 ⊕ 1, w1,26 = w1,15 ⊕ w1,11 ⊕ w0,8 ⊕ 1, w1,29 = w1,1 ⊕w1,12 ⊕w0,26 ⊕1, w1,30 = w1,19 ⊕w1,15 ⊕w0,12 ⊕1, w1,31 = w1,10 ⊕w1,27 ⊕w0,24 ⊕1, w1,32 = w1,4 ⊕ w1,15 ⊕ w0,29 w2 w2,14 = w2,4 ⊕ w2,6 ⊕ w1,3 ⊕ w1,5 ⊕ w1,18 , w2,15 = w2,11 ⊕ w2,13 ⊕ w2,6 ⊕ w2,4 ⊕ 12 w1,29 ⊕ w1,31 ⊕ w1,5 ⊕ w1,24 , w2,17 = w2,6 ⊕ w1,31 , w2,21 = w2,10 ⊕ w2,6 ⊕ w1,3 ⊕ 1, w2,22 = w2,1 ⊕w2,18 ⊕w1,15 ⊕1, w2,23 = w2,12 ⊕w2,8 ⊕w1,5 , w2,24 = w2,13 ⊕w2,9 ⊕w1,5 , w2,25 = w2,14 ⊕ w2,10 ⊕ w1,5 , w2,27 = w2,16 ⊕ w2,12 ⊕ w1,5 , w2,28 = w2,17 ⊕ w2,13 ⊕ w1,5 , w2,29 = w2,18 ⊕ w2,14 ⊕ w1,5 ⊕ 1, w2,32 = w2,4 ⊕ w2,15 ⊕ w1,29 ⊕ 1 w3 w3,20 = w3,9 ⊕w3,5 ⊕w2,2 , w3,21 = w3,10 ⊕w3,6 ⊕w2,2 ⊕1, w3,24 = w3,13 ⊕w3,9 ⊕w2,6 ⊕1, 8 w3,25 = w3,4 ⊕w3,21 ⊕w2,18 ⊕1, w3,27 = w3,20 ⊕w3,16 ⊕w3,10 ⊕w2,23 ⊕w2,13 ⊕1, w3,30 = w3,2 ⊕ w3,13 ⊕ w2,27 ⊕ 1, w3,31 = w3,20 ⊕ w3,16 ⊕ w2,13 , w3,32 = w3,21 ⊕ w3,17 ⊕ w2,13 w4 w4,13 = w4,10 ⊕w4,12 ⊕w4,6 ⊕w4,7 ⊕w4,3 ⊕w3,24 ⊕w3,31 ⊕w3,21 ⊕1, w4,17 = w4,6 ⊕w3,31 , 14 w4,18 = w4,11 ⊕ w4,7 ⊕ w3,3 ⊕ w4,1 ⊕ w3,13 , w4,19 = w4,12 ⊕ w4,8 ⊕ w3,3 ⊕ w4,2 ⊕ w3,13 ⊕ 1, w4,20 = w3,13 ⊕ w4,10 ⊕ w4,12 ⊕ w3,9 ⊕ w3,24 ⊕ 1, w4,21 = w4,10 ⊕ w4,6 ⊕ w3,3 , w4,22 = w4,11 ⊕ w4,7 ⊕ w3,3 , w4,23 = w4,12 ⊕ w4,8 ⊕ w3,3 ⊕ 1, w4,24 = w4,3 ⊕ w4,20 ⊕ w3,13 ⊕ 1, w4,27 = w4,16 ⊕w4,12 ⊕w3,9 , w4,28 = w4,17 ⊕w4,13 ⊕w3,9 , w4,29 = w4,18 ⊕w4,14 ⊕w3,9 ⊕1, w4,31 = w4,20 ⊕ w4,16 ⊕ w3,13 , w4,32 = w4,21 ⊕ w4,17 ⊕ w3,13

Distinguishing Attack on the Secret-Prefix MAC

201

Table 5. (continued) w5 w5,17 = w5,6 ⊕ w4,31 ⊕ 1, w5,19 = w5,8 ⊕ w5,4 ⊕ w4,1 ⊕ 1, w5,21 = w5,10 ⊕ w5,6 ⊕ w4,3 , w5,22 = w5,11 ⊕w5,7 ⊕w4,3 , w5,23 = w5,12 ⊕w5,8 ⊕w4,3 ⊕1, w5,24 = w5,3 ⊕w5,20 ⊕w4,17 ⊕ 1, w5,25 = w5,14 ⊕w5,10 ⊕w4,7 ⊕1, w5,26 = w5,2 ⊕w5,13 ⊕w5,9 ⊕w4,27 ⊕w4,23 ⊕1, w5,28 = w5,17 ⊕ w5,13 ⊕ w4,10 ⊕ 1, w5,30 = w5,2 ⊕ w5,13 ⊕ w4,27 , w5,31 = w5,3 ⊕ w5,14 ⊕ w4,27 ⊕ 1 w6 w6,15 = w6,14 ⊕w6,11 ⊕w6,10 ⊕w6,8 ⊕w6,6 ⊕w6,5 ⊕w6,1 ⊕w6,4 ⊕w5,15 ⊕w5,8 ⊕w5,11 ⊕w5,3 ⊕ w5,21 , w6,16 = w6,5 ⊕w5,30 ⊕1, w6,18 = w6,15 ⊕w6,11 ⊕w6,5 ⊕w6,1 ⊕w5,15 ⊕w5,17 ⊕w5,8 ⊕1, w6,19 = w6,9 ⊕ w6,11 ⊕ w5,11 ⊕ w5,8 ⊕ w5,21 ⊕ 1, w6,21 = w6,10 ⊕ w6,6 ⊕ w5,3 ⊕ 1, w6,22 = w6,1 ⊕w6,18 ⊕w5,15 ⊕1, w6,24 = w6,3 ⊕w6,20 ⊕w5,17 , w6,25 = w6,4 ⊕w6,21 ⊕w5,17 , w6,26 = w6,15 ⊕w6,11 ⊕w5,8 ⊕1, w6,28 = w6,7 ⊕w6,24 ⊕w5,21 , w6,29 = w6,14 ⊕w6,18 ⊕w5,11 , w6,30 = w6,19 ⊕ w6,15 ⊕ w5,11 ⊕ 1, w6,32 = w6,11 ⊕ w6,28 ⊕ w5,25 ⊕ 1 w7 w7,19 = w7,8 ⊕ w7,4 ⊕ w6,1 ⊕ 1, w7,22 = w7,18 ⊕ w7,1 ⊕ w6,15 ⊕ 1, w7,23 = w7,12 ⊕ w7,8 ⊕ w6,5 ⊕ 1, w7,24 = w7,4 ⊕ w7,15 ⊕ w7,11 ⊕ w7,7 ⊕ w6,29 ⊕ w6,21 ⊕ w6,24 , w7,27 = w7,16 ⊕w7,12 ⊕w6,9 ⊕1, w7,28 = w7,7 ⊕w7,24 ⊕w6,21 ⊕1, w7,29 = w7,1 ⊕w7,12 ⊕w6,24 ⊕1, w7,31 = w7,10 ⊕ w7,27 ⊕ w6,24 , w7,32 = w7,4 ⊕ w7,15 ⊕ w6,29 ⊕ 1 w8 w8,15 = w8,2 ⊕ w8,11 ⊕ w8,13 ⊕ w8,9 ⊕ w7,23 ⊕ w7,27 ⊕ w7,7 ⊕ 1, w8,18 = w8,2 ⊕ w8,13 ⊕ w8,9 ⊕ w8,5 ⊕ w8,1 ⊕ w7,15 ⊕ w7,19 ⊕ w7,23 ⊕ w7,27 , w8,19 = w8,8 ⊕ w8,4 ⊕ w7,1 ⊕ 1, w8,22 = w8,1 ⊕w8,18 ⊕w7,15 , w8,23 = w8,2 ⊕w8,19 ⊕w7,15 ⊕1, w8,25 = w8,14 ⊕w8,10 ⊕w7,7 , w8,26 = w8,5 ⊕ w8,22 ⊕ w7,19 ⊕ 1, w8,27 = w8,16 ⊕ w8,12 ⊕ w7,7 ⊕ 1, w8,29 = w8,18 ⊕ w8,14 ⊕ w7,11 ⊕ 1, w8,30 = w8,9 ⊕ w8,26 ⊕ w7,23 ⊕ 1, w8,31 = w8,3 ⊕ w8,14 ⊕ w7,27 ⊕ 1 w9 w9,1 = w0,1 , w9,5 = w0,5 , w9,10 = w9,6 ⊕ w8,2 ⊕ w1,28 ⊕ w1,7 ⊕ w1,24 , w9,15 = w0,15 ⊕ 1, w9,16 = w9,5 ⊕ w8,29 ⊕ 1, w9,17 = w9,10 ⊕ w9,6 ⊕ w9,4 ⊕ w9,15 ⊕ w8,2 ⊕ w8,14 ⊕ w8,29 ⊕ 1, w9,18 = w9,1 ⊕ w9,15 ⊕ w9,11 ⊕ w9,5 ⊕ w8,8 ⊕ w8,18 ⊕ w8,14 ⊕ 1, w9,20 = w9,9 ⊕ w9,5 ⊕ w8,2 , w9,21 = w1,28 ⊕ w1,7 ⊕ w1,24 ⊕ 1, w9,22 = w9,1 ⊕ w9,18 ⊕ w8,14 ⊕ 1, w9,25 = w9,4 ⊕ w9,21 ⊕ w8,18 , w9,26 = w9,15 ⊕ w9,11 ⊕ w8,8 ⊕ 1, w9,29 = w9,1 ⊕ w9,12 ⊕ w8,26 ⊕ 1, w9,30 = w9,19 ⊕ w9,15 ⊕ w8,12 ⊕ 1, w9,32 = w9,21 ⊕ w9,17 ⊕ w8,14 w10 w10,8 = w1,5 , w10,9 = w2,27 ⊕w10,5 ⊕w2,6 ⊕w2,23 ⊕w9,1 , w10,13 = w10,9 ⊕w9,5 ⊕w1,24 ⊕1, w10,19 = w10,8 ⊕ w10,4 ⊕ w9,1 , w10,20 = w2,27 ⊕ w2,6 ⊕ w2,23 ⊕ 1, w10,23 = w10,12 ⊕ w10,8 ⊕ w9,5 , w10,24 = w1,24 , w10,28 = w10,7 ⊕ w10,24 ⊕ w9,21 ⊕ 1 w11 w11,8 = w3,26 ⊕ w3,15 ⊕ w3,11 ⊕ 1, w11,10 = w2,10 ⊕ 1, w11,15 = w2,13 ⊕ 1, w11,19 = w3,26 ⊕ w3,5 ⊕ w3,22 ⊕ 1, w11,21 = w2,21 ⊕ 1, w11,23 = w2,23 , w11,25 = w3,32 ⊕ w3,11 ⊕ w3,28 ⊕ 1, w11,26 = w11,15 ⊕ w11,11 ⊕ w10,8 ⊕ 1, w11,27 = w11,6 ⊕ w11,23 ⊕ w10,20 ⊕ 1, w11,31 = w11,10 ⊕ w11,27 ⊕ w10,24 , w11,32 = w11,11 ⊕ w11,28 ⊕ w10,24 ⊕ 1 w12 w12,5 = w12,1 ⊕ w11,15 ⊕ w11,19 ⊕ w4,25 ⊕ w4,4 ⊕ w4,21 ⊕ w3,26 , w12,15 = w12,11 ⊕ w11,8 ⊕ w3,26 , w12,17 = w12,13 ⊕ w11,10 ⊕ w3,28 ⊕ 1, w12,18 = w4,25 ⊕ w4,4 ⊕ w4,21 ⊕ 1, w12,22 = w12,1 ⊕w12,18 ⊕w11,15 ⊕1, w12,24 = w12,17 ⊕w12,13 ⊕w12,7 ⊕w11,10 ⊕w11,21 ⊕1, w12,26 = w3,26 ⊕ 1, w12,28 = w3,28 ⊕ 1, w12,29 = w12,18 ⊕ w12,14 ⊕ w11,10 ⊕ 1, w12,30 = w12,9 ⊕ w12,26 ⊕ w11,23 ⊕ 1, w12,32 = w12,11 ⊕ w12,28 ⊕ w11,25 ⊕ 1 w13 w13,12 = w13,1 ⊕ w12,26 ⊕ w4,29 , w13,14 = w5,32 ⊕ w5,21 ⊕ w5,17 ⊕ 1, w13,21 = w13,4 ⊕ w12,18 w4,25 , w13,25 = w4,25 ⊕ 1, w13,29 = w4,29 ⊕ 1, w13,31 = w13,3 ⊕ w13,14 ⊕ w12,28 ⊕ 1 w14 w14,15 = w14,7 ⊕ w14,9 ⊕ w14,4 ⊕ w13,29 ⊕ w1,29 ⊕ w1,8 ⊕ w1,25 , w14,21 = w14,4 ⊕ w14,15 ⊕ w14,17 ⊕ w13,14 ⊕ w13,29 , w14,25 = w14,7 ⊕ w14,9 ⊕ w14,2 ⊕ w1,29 ⊕ w1,8 ⊕ w1,25 ⊕ w1,22 ⊕ w1,1 ⊕ w1,18 , w14,28 = w14,21 ⊕ w14,17 ⊕ w14,11 ⊕ w13,14 ⊕ w13,25 , w14,30 = w14,7 ⊕ w14,9 ⊕ w14,23 ⊕ w1,8 ⊕ w1,25 ⊕ w1,20 ⊕ w1,31 ⊕ w1,16 ⊕ w1,29 , w14,32 = w14,21 ⊕ w14,17 ⊕ w13,14 ⊕ 1 w23 w23,15 = w23,7 ⊕w23,9 ⊕w23,4 ⊕w10,29 ⊕w10,8 ⊕w10,25 ⊕1, w23,21 = w23,4 ⊕w23,15 ⊕w23,17 , w23,25 = w23,4 ⊕ w23,15 ⊕ w23,2 ⊕ w9,15 ⊕ 1, w23,28 = w23,4 ⊕ w23,15 ⊕ w23,11 , w23,30 = w23,2 ⊕ w23,25 ⊕ w23,23 ⊕ w10,20 ⊕ w10,31 ⊕ w10,16 ⊕ w9,15 , w23,32 = w23,4 ⊕ w23,15

11

13

9

11

15

8

11

11

6 6

6

Inside the Hypercube Jean-Philippe Aumasson1, , Eric Brier3 , Willi Meier1, , Mar´ıa Naya-Plasencia2,   , and Thomas Peyrin3 2

1 FHNW, Windisch, Switzerland INRIA project-team SECRET, France 3 Ingenico, France

Some force inside the Hypercube occasionally manifests itself with deadly results. http://www.staticzombie.com/2003/06/cube 2 hypercube.html Abstract. Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The submissions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parameters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions.

1

CubeHash

Bernstein’s CubeHash is a hash function family submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h; the 1024-bit internal state of CubeHash is viewed as a five dimensional hypercube. The submissions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. CubeHash computes a message digest as follows:   

Supported by the Swiss National Science Foundation under project no. 113329. ¨ STIFTUNG, project no. GRS-069/07. Supported by GEBERT RUF Supported in part by the French Agence Nationale de la Recherche under contract ANR-06-SETI-013-RAPIDE.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 202–213, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Inside the Hypercube

203

• initialize a 1024-bit state as a function of (h, b, r) • append to the message a 1 bit and enough 0 bits to reach a multiple of 8b bits • for each b-byte message block: • xor the block into the first b bytes of the state • transform the state through the r-round T function • xor a 1 bit with the 993rd bit of the state • transform the state through 10r-round T • output the first h bits of the state Let x[0], . . . , x[31] represent the 1024-bit state as an array of 32-bit words. The transform function T makes r identical rounds, where each round computes (see also Fig. 1): for for for for for for for for for for for for

i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15: i = 0, . . . , 15:

x[i + 16] = x[i + 16] + x[i] y[i ⊕ 8] = x[i] x[i] = y[i] ≪ 7 x[i] = x[i] ⊕ x[i + 16] y[i ⊕ 2] = x[i + 16] x[i + 16] = y[i] x[i + 16] = x[i + 16] + x[i] y[i ⊕ 4] = x[i] x[i] = y[i] ≪ 11 x[i] = x[i] ⊕ x[i + 16] y[i ⊕ 1] = x[i + 16] x[i + 16] = y[i]

See [5] for a more detailed description of CubeHash. This paper presents the first external analysis of CubeHash, with • • • • • • •

improved standard generic attacks for collisions and preimages a multicollision attack that exploits fixed points a study of the round function symmetries a preimage attack that exploits these symmetries a practical collision attack on a weakened version of CubeHash a study of fixed points and an example of nontrivial fixed point high-probability truncated differentials over the 10-round transform

After the first publication of this article [2], Dai, Peyrin, et al. presented a series of collision attacks [1, 8, 7, 6] on reduced versions of CubeHash. Their best results (as of Feb. 6) are an example of collision on CubeHash3/64 and a collision attack on CubeHash4/3 in about 2207 simple operations [6]. Our results, however, are more general, since they apply to any choice of the parameters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions.

204

J.-P. Aumasson et al.

Fig. 1. Schematic view of a CubeHash round

2

Improved Standard Generic Attacks

The author of CubeHash presented [3] the following “standard preimage attack”: • from (h, b, r) compute the initial state S0 • from the h-bit image plus some arbitrary (1024 − h) bits, invert 10r rounds and the “xor 1” to get a state Sf before finalization • find two n-block sequences that map S0 (forward) and Sf (backward), respectively, to two states that share the last (1024 − 8b) bits There are 2nb possible n-block inputs and one looks for a collision over (1024−8b) bits. For a success chance 1 − 1/e ≈ 0.63 one thus requires 2512−4b trials in each

Inside the Hypercube

205

direction, that is, 2nb > 1024 − 8b, i.e., n > 512/b − 4. In total the number of evaluations of T is approximately   512 2× − 4 × 2512−4b ≈ 2522−4b−log b . b Furthermore, [3] estimates that each round of T needs 211 “bit operations”; the above formula gives about 2533−4b−log b+log r bit operations. A speed-up of the above attack can be obtained by searching a collision not only in the states resulting of a n-block computation, but in every distinct state reached (i.e. also with the intermediate states). This is made possible by the absence of message length padding. Each call to T gives a new candidate for the collision search; we thus get rid of the (512/b − 4) multiplicative factor in the cost estimate. This gives a cost of 2 × 2512−4b = 2513−4b evaluations of T , i.e. 2524−4b+log r bit operations. The proposed CubeHash-512 has (h, b, r) = (512, 1, 8), our attack thus makes 2523 bit operations, against 2532 with the original attack. If r = 8, our attack needs b > 3 to make less than 2512 bit operations, against b > 5 with the original preimage attack. It is to note that these estimates exclude the non-negligible communication costs. One can use the same trick to speed-up the standard collision attack [3]; the cost in T evaluations then drops from 2521−4b−log b to 2512−4b .

3

Narrow-Pipe Multicollisions

Based on the “narrow-pipe” attacks in [4], we show a multicollision attack on CubeHash faster than Joux’s [10] or birthday [9,12] methods (for large b’s). Our attack requires the same amount of computation as narrow-pipe collisions. It exploits the fact that the null state is a fixed point for the compression function T (regardless of r), and that the message padding does not include the message length. Starting from an initial state S0 derived from (h, b, r), one finds two n-block sequences m and m that map S0 (forward) and the zero state (backward), respectively, to two states that share the last (1024 − 8b) bits. One finds a connection of the form T

S0 ⊕ m1 −→ S1 T

S1 ⊕ m2 −→ · · · ··· T

· · · −→ S1 T

S1 ⊕ m2 −→ 0 ⊕ m1

206

J.-P. Aumasson et al.

Once a path to the zero state is found, one can add an arbitrary number of zero message blocks to maintain a zero state. Colliding messages are of the form mm 00 . . . 0m, ¯ where m ¯ is an arbitrary sequence of blocks. Using the technique of §2, this multicollision attack requires approximately 2513−4b evaluations of T . In comparison, a birthday attack finds a k-collision in (k! × 2n(k−1) )1/k trials, and Joux’s attacks in log k × 24(128−b) . For example, with h = 512 and b = 112, our attack finds 264 -collisions within 265 calls to T , against > 2512 for a birthday attack and 270 for Joux’s.

4

State Symmetries

The documentation of CubeHash mentions [5, p.3] the existence of symmetries through the round function, and states that the initialization of CubeHash was designed to avoid them. However [5] gives no detail on those symmetries. In this section, we provide a reasoning that finds all symmetries inherent in the transformation T . In total we are able to show 15 symmetry classes of 2512 states each, and show how to exploit these. 4.1

Symmetry Classes

If a 32-word state x satisfies x[0] = x[1], x[2] = x[3], . . . , x[30] = x[31], then this property is preserved through the transformation T , with probability equal to 1, for any number of rounds. One can represent this symmetry with the pattern (each letter stands for a 32-bit word): AABBCCDD EEFFGGHH IIJJKKLL MMNNOOPP . In total we found 15 classes of symmetry: C1 : AABBCCDD EEFFGGHH IIJJKKLL MMNNOOPP C2 : ABABCDCD EFEFGHGH IJIJKLKL MNMNOPOP C3 : ABBACDDC EFFEGHHG IJJIKLLK MNNMOPPO C4 : ABCDABCD EFGHEFGH IJKLIJKL MNOPMNOP C5 : ABCDBADC EFGHFEHG IJKLJILK MNOPNMPO C6 : ABCDCDAB EFGHGHEF IJKLKLIJ MNOPOPMN C7 : ABCDDCBA EFGHHGFE IJKLLKJI MNOPPONM C8 : ABCDEFGH ABCDEFGH IJKLMNOP IJKLMNOP C9 : ABCDEFGH BADCFEHG IJKLMNOP JILKNMPO C10 : ABCDEFGH CDABGHEF IJKLMNOP KLIJOPMN C11 : ABCDEFGH DCBAHGFE IJKLMNOP LKJIPONM C12 : ABCDEFGH EFGHABCD IJKLMNOP MNOPIJKL C13 : ABCDEFGH FEHGBADC IJKLMNOP NMPOJILK C14 : ABCDEFGH GHEFCDAB IJKLMNOP OPMNKLIJ C15 : ABCDEFGH HGFEDCBA IJKLMNOP PONMLKJI

Inside the Hypercube

207

Each class contains 2512 states. If a state belongs to several classes, then its image under T also belongs to these classes; for example if S ∈ (Ci ∩ Cj ), then T (S) ∈ (Ci ∩ Cj ). We have |Ci ∩ Cj | ≤ 2256 . By the inclusion-exclusion principle, the number of distinct symmetric states is  15  ∪i=1 Ci  = 15 × 2512 − 70 × 2256 + 120 × 2128 − 64 × 264 ≈ 2516 . Note that symmetry is not preserved by the finalization procedure of CubeHash (the “xor 1” breaks any of the above symmetries). 4.2

Finding All Symmetry Classes

Now we prove that the classes C1 , . . . , C15 capture all the possible symmetries of CubeHash’s transform T . A symmetry class can be represented as a set of pairs (i, j), where each (i, j) means x[i] = x[j]. For example, C1 can be described by the set (0,1) (2,3) (4,5) (6,7) (8,9) (10,11) (12,13) (14,15) (16,17) (18,19) (20,21) (22,23) (24,25) (26,27) (28,29) (30,31) We want a symmetry class to propagate through one round of the scheme with probability equal to one. It is easy to see that this condition imposes that the equality constraints at the left and at the right branch of the scheme must be the same (because of the intra-word rotations that are only present in the left branch of the scheme). That is, for any relation (i, j) with 0 ≤ i, j ≤ 15, we must also have the relation (i + 16, j + 16). In other words, a symmetry pattern is the same for the left and for the right branch. We thus only need to consider 16-word symmetry patterns. To describe all possible symmetries, we start by fixing (0, k), for a fixed k in {1, . . . , 15}. We then compute T backwards to indentify the relations implied by (0, k): the first substitution and xor encountered force us to have (0, k) (4, k ⊕ 4). Then, the second substitution and the modular addition force to have (note that the intra-word rotations can be omitted since they leave the symmetry pattern unchanged) (0, k) (4, k ⊕ 4) (1, k ⊕ 1) (5, k ⊕ 5). The third substitution and xor yield (0, k) (4, k ⊕ 4) (1, k ⊕ 1) (5, k ⊕ 5) (2, k ⊕ 2) (6, k ⊕ 6) (3, k ⊕ 3) (7, k ⊕ 7).

208

J.-P. Aumasson et al.

Finally, the last substitution and the modular addition imply (0, k) (4, k ⊕ 4) (1, k ⊕ 1) (5, k ⊕ 5) (2, k ⊕ 2) (6, k ⊕ 6) (3, k ⊕ 3) (7, k ⊕ 7) (8, k ⊕ 8) (12, k ⊕ 12) (9, k ⊕ 9) (13, k ⊕ 13) (10, k ⊕ 10) (14, k ⊕ 14) (11, k ⊕ 11) (15, k ⊕ 15). Eventually, each symmetry that contains the relation (0, k)—i.e., x[0] = x[k]—also has the relations (i, k ⊕ i), 1, . . . , 15. Therefore, we have 15 distinct wordwise symmetry classes, of the form (i, k ⊕ i), i = 0, . . . , 15 for k ∈ {1, . . . , 15}. Each class contains 2512 states. For example, the case k = 1 provides directly C1 , and more generally k = i corresponds to Ci . 4.3

Exploiting Symmetric States for Finding Preimages

Given a target digest, one can make a preimage attack similar to that in §2, and exploit symmetric states for the connection. The attack goes as follows: • from the initial state, reach a symmetric state (of any class) by using 21024−516−8 = 2500 message blocks • from a state before finalization, reach (backwards) another symmetric state (not necessarily of the same class) • from these two symmetric states in classes Ci and Cj , use null message blocks in both directions  to reach two states in Ci ∩ Cj • find a collision by trying |Ci ∩ Cj | messages in each direction Complexity of steps 1 and 2 is about 2501 computations of T . The cost of steps 3 and 4 depends on i and j; but it is upper bounded by 2 × 2256 operations. Thus, in any case, the total complexity is about 2501 calls to T . This attack, however, finds messages of unauthorized size (more than 2256 bytes!). One can find preimages of reasonable size by using a variant of the above attack: suppose b > 4, from the initial state reach a state in a given class Ci , do the same backwards from a state before finalization. For a given b, the complexity of reaching a symmetric state depends on the Ci considered. Then one seeks a collision within Ci by trying messages preserving the symmetry: for example, if b = 5 and Ci = C1 , then one has to preserve the equality x[0] = x[1] and shall thus pick 5-byte messages of the form X000X (each digit stands for a byte). Since any Ci contains 2512 states, the cost of finding a collision within Ci is about 2256 trials in each direction. Below we give a class example Ci that is the easiest to reach, depending on the value of b: • 5 ≤ b < 9: one of the best classes is C1 , which gives (1024−2×4×8)/2 = 480 equations to verify • 9 ≤ b < 17: one of the best classes is C2 , which give (1024 − 2 × 8 × 8)/2 = 448 equations to verify

Inside the Hypercube

209

• 17 ≤ b < 33: one of the best classes is C4 , which gives (1024−2×16×8)/2 = 384 equations to verify • 33 ≤ b < 65: one of the best classes is C8 , which gives (1024−2×32×8)/2 = 256 equations to verify If n equations have to be verified, the cost of reaching a symmetric state is about 2n evaluations of T . Compared to the preimage attack in §2, the best speed-up obtained from a given Ci is when b = 4d + 1, where d is the number of 32-bit words that separate the first repetition of two words. To illustrate this attack, let’s study in more detail the case of C1 : • if b ≡ 0 mod 8, there are (1024 − 8b)/2 = 512 − 4b equations to satisfy, thus about 2512−4b calls to T are necessary • if b ≡ 4 mod 8, there are only (1024 − 8b − 32)/2 = 496 − 4b equations to satisfy, because one has no condition on the first state word not xored with the message block • generalizing, when b mod 8 ≤ 4, about 2512−4(b+(b mod 4)) calls to T are necessary • when b mod 8 > 4, there are (1024 − 8b − 32 + 8(b mod 4))/2 equations to satisfy, which gives a cost 2496−4(b−(b mod 4)) The general formula for the number of equations is 512 − 32b/8 − 32(b mod 8)/4 − [((b mod 8)/4 + 1) mod 2] × 8(b mod 4) . In the best case (b ≡ 4 mod 8), the attack is 215 times faster than that in §2 (in the worst case, b ≡ 0 mod 8, it has the same complexity). Note that when b = 5, the attack makes about 2481 calls to T , against 2493 with the attack in §2. 4.4

Exploiting Symmetric States for Finding Collisions

We present a technique to find collisions for a weakened version of CubeHash, in which we modify the IV (initial state). The initialization of CubeHash never leads to a symmetric initial state. Here we present a practical collision attack that would apply if the initial state were symmetric, and in C1 ∩ C2 ∩ C4 ∩ C8 . Suppose that the initial state of CubeHashr/b-h is in C1 ∩ C8 , i.e. is of the form AAAAAAAA AAAAAAAAA BBBBBBBBB BBBBBBBB . If one hashes the b233 -byte message that contain only zeros, then each of the 233 intermediate states is an element of C1 ∩ C2 ∩ C4 ∩ C8 . Assuming that T acts like a random permutation over this set, one will find two identical states with probability about 0.63, which directly gives a collision.

210

5

J.-P. Aumasson et al.

On the Fixed Points of T

In this section we let T be the 1-round transform of CubeHash. A fixed point for T r , r > 0, is a state x that is left unchanged by T r , i.e., T r (x) = x. Recall that the average number of cycles of length k is 1/k for a random permutation. If T were a random permutation, T would thus have one fixed point. Noting that a cycle of length r gives r fixed points for T r , we have that T 2 would have two fixed points (the one of T and one due to an average of 2 × 1/2 fixed points from cycles of length two); T 4 would have three fixed points (one for each cycle length in 1, 2, 4), etc. More generally, the average number of fixed points for T n would be the number of divisors of n, if T were a random permutation. Note that each symmetry class represents a class of cycles of T , and that the 15 symmetry classes give 67 distinct subsets. Modeling T as a random permutation over each of those subsets, one expects 67 fixed points. This gives for T 8 1 + 4 × 67 = 269 fixed points, where 4 is the number of divisors of 8, i.e., of cycles length that give fixed points for T 8 . Note that this results assumes a random behavior of T with respect to fixed points over the 67 subsets considered. Finding examples of fixed points seems difficult, however: the zero state x[0] = · · · = x[31] = 0 is a trivial fixed point for T , and thus also for T n , n ≥ 0. Among the states of the form x[0] = · · · = x[15], x[16] = · · · = x[31], the only nontrivial fixed point is the state with x[0] = 54E5FC8A and x[8] = 84FE49D2.

6

Truncated Differentials over T

This section shows how to detect non-randomness over the 10-round T transform. We start from a weight-64 difference to reach a weight-1 difference after 3 rounds with high probability; this nonlinear differential was discovered by simply computing backwards from the weight-1 difference. We consider the input difference 80000000 in x[16]. The word x[16] was chosen because x[16] · · · x[31] diffuse less in the first rounds than x[0] · · · x[15]. We set a difference 80000000 to minimize the impact of carries. We consider the following nonlinear differential. Input difference (weight-64): 18000000 10000000 08000000 30000000 00000040 00000080 00000000 00000000 00400000 00000000 00400000 01000404 00000003 80802002 00000001 81802004 40000000 08000000 00000000 E8020600 00000000 00000100 00000080 41F001C0 00400008 00000008 00400000 01000404 00000005 80802002 00000001 8080200C

Inside the Hypercube

Difference after one round (weight-26): 000E0000 00000000 00000000 00000000 00000000 00000040 00000080 00000040 01000004 00000000 00000004 00000000 00000000 00000000 00002000 00000000 800E0200 00000000 00000000 00000000 00000000 000000C0 00000080 000001C0 00000000 00000004 00000000 00000004 00000000 00002000 0000C000 00000000 Difference after two rounds (weight-9): 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 01000000 00000000 00002000 00000000 00002000 00000000 00000000 00000000 80000000 00000000 00000000 00000000 00100000 00000000 00000000 00000000 03000000 00000000 00002000 00000000 00002000 Difference after three rounds (weight-1): 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 80000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 which after another round gives with probability 1 the difference 80000000 00000000 80000000 00000000 00000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 80000000 00000000 80000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

211

212

J.-P. Aumasson et al.

This differential holds with negligible probability for a random input. But it holds for the input DFB7AA11 7B2872F1 2848B142 64CB0AF9 17DA36E7 320A7AB2 27621CD8 B6E23031 3BCE90DB 0E496C61 AF4156BD 0B4D857F 4379D4C0 D495EAC9 038BD6E5 72A114CC 29065395 824774C3 F0923C34 28F3B2DD 74251DF6 1A562265 BD8EE5E3 DEFDD839 2804D3BE 89417DC3 F001CE4A 6A5328A8 2BEC024E B2306F17 1F2A7C6C 14BC37B6 For 32 random bits in x[25] and x[26] (at positions 4, . . . , 19 in both), the differential is satisfied with probability approximately 0.985. Note that in the linear model (i.e. when additions are replaced by xors), a differential path starting from the weight-1 difference cycles over 47 rounds. That is, it comes back to the difference 80000000 in x[16] after 47 rounds. Based on the above differential, we empirically looked for high-probability truncated differentials, based on the weight-64 input difference, and applying to each output bit a frequency test similar to that in [11, §2.1], with decision threshold 0.001 and 220 samples. We found 4 output bits with p-value less than 0.001, at positions 579, 778, 841, and 842. Over 11 rounds and more, no bias was detected. This observation is consistent with the fact that, when starting from the weight-1 difference, we could detect non-randomness on up to 7 rounds (now this difference is introduced three rounds later). Note that in a previous version of this article [2], we reached 8 rounds by starting one round before the weight-1 difference. These observations indicate that 10-round T does not act as a random permutation, and that 10 rounds may not be overkill, as suggested in [4]. But note that the settings used don’t correspond to a realistic attack scenario. Furthermore, if we restrict ourselves to differences in the first state byte, and put random bits in the rest of the state, then we observe non-randomness after up to 5 rounds.

References 1. Aumasson, J.-P.: Collision for CubeHash2/120-512. NIST mailing list (December 4, 2008), http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt 2. Aumasson, J.-P., Meier, W., Naya-Plasencia, M., Peyrin, T.: Inside the hypercube. Cryptology ePrint Archive, Report 2008/486, version 20081124:132635 (2008) 3. Bernstein, D.J.: CubeHash appendix: complexity of generic attacks. Submission to NIST (2008) 4. Bernstein, D.J.: CubeHash attack analysis (2.B.5). Submission to NIST (2008) 5. Daniel, J.B.: CubeHash specification (2.B.1). Submission to NIST (2008)

Inside the Hypercube

213

6. Brier, E., Khazaei, S., Meier, W., Peyrin, T.: Attack for CubeHash-2/2 and collision for CubeHash-3/64. NIST mailing list (local link) (2009), http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt 7. Brier, E., Peyrin, T.: Cryptanalysis of CubeHash (2009), http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf 8. Dai, W.: Collisions for CubeHash1/45 and CubeHash2/89 (2008), http://www.cryptopp.com/sha3/cubehash.pdf 9. Diaconis, P., Mosteller, F.: Methods for studying coincidences. Journal of the American Statistical Association 84(408), 853–861 (1989) 10. Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) 11. NIST. SP 800-22, a statistical test suite for random and pseudorandom number generators for cryptographic applications (2001) 12. Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multicollisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006)

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions: Application to RIPEMD and Others Yu Sasaki and Kazumaro Aoki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan [email protected]

Abstract. We describe preimage attacks on several double-branch hash functions. We first present meet-in-the-middle preimage attacks on RIPEMD, whose output length is 128 bits and internal state size is 256 bits. With this internal state size, a straightforward application of the meet-in-the-middle attack will cost the complexity of at least 2128 , which gives no advantage compared to the brute force attack. We show two attacks on RIPEMD. The first attack finds pseudo-preimages and preimages of the first 33 steps with complexities of 2121 and 2125.5 , respectively. The second attack finds pseudo-preimages and preimages of the intermediate 35 steps with complexities of 296 and 2113 , respectively. We next present meet-in-the-middle preimage attacks on full Extended MD4, reduced RIPEMD-256, and reduced RIPEMD-320. The best known attack for these is the brute force attack. We show how to find preimages more efficiently on these hash functions. Keywords: RIPEMD, double branch, preimage, meet-in-the-middle.

1

Introduction

Hash functions are cryptographic primitives used for various purposes. They are required to satisfy several security properties: preimage resistance, second preimage resistance, collision resistance, and so on. Usually, if the length of the hash is n-bit, the required security for these properties is 2n , 2n , and 2n/2 , respectively. Note that in the SHA-3 competition [22] conducted by NIST, 2n security is required for the preimage resistance. Various hash functions have been designed. A list of hash function types is shown in Fig. 1. The most widely used hash functions, e.g., MD5 [18], SHA-1, and SHA-2 [23], have a structure where the initial value, whose length is the same as the hash value, is iteratively updated by using messages. Hereafter, we call such a structure “single-path.” In contrast, some hash functions update two copies of the initial value in parallel, merge each result, and finally output the merged value as the hash value of the message. Hereafter, we call such a structure “double-branch.” For example, RIPEMD [16], RIPEMD-128, and RIPEMD-160 [7], are double-branch hash functions. C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 214–231, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

H0

Hash

H0

H1

Hash

MD4 RIPEMD MD5 RIPEMD-128 SHA-1/-2 RIPEMD-160

H0

H1

H0

215

H1

Hash

Hash

MD4-Extend RIPEMD-256 RIPEMD-320

Cascaded construction

Fig. 1. Types of hash function structures

Hash functions are sometimes required to output longer hash values. For this purpose, some hash functions define an extension to output the double-length hash value, e.g., MD4 [17], RIPEMD-128, and RIPEMD-160. For a given input message, two hash values are computed by using different initial values and round constants. Finally, the concatenated value of two hash values, which is the double-length of the original hash value, is output. Such extensions of MD4, RIPEMD-128, and RIPEMD-160 are called Extended MD41 , RIPEMD-256, and RIPEMD-320, respectively. Efforts to strengthen the security are made in these extensions. Intermediate chaining values after each round are swapped between computations of two hash values so that a stronger interaction between two computations can be achieved. A cascaded construction, which was analyzed by Joux [10], produces a long hash value from two short hash values. It computes two hash functions and outputs the concatenated value. The security of the double-branch hash functions is unclear. Intuitively, if two hash functions are ideal, the security will be a product of two hash functions. However, if two hash computations are similar, some attacks might be performed because of unwanted dependencies. The designers of RIPEMD-256 and -320 consider this situation. Although the known best preimage attack on RIPEMD256 and -320 is the brute force attack, which costs 2256 and 2320 , their security is claimed to be 2128 and 2160 , respectively. Similarly, the security of Extended MD4 is not described by its designer2 . Reference [14, Fact 9.27] claims the security of the cascaded construction is a product of each hash function; however, Joux showed the security is damaged if iterated hash functions are instantiated [10]. 1.1

Attack History

Several papers have been published on finding collisions or variants of collisions on RIPEMD, RIPEMD-128, and RIPEMD-160 [6,5,4,25,12]. However, the 1 2

Rivest, the designer of MD4, did not name this extension. Dobbertin, the first cryptanalyst of this extension, called it “Extended MD4.” Dobbertin, in his analysis paper [5], introduced Extended MD4, which was proposed for highest security requirements.

216

Y. Sasaki and K. Aoki

preimage resistance of double-branch hash functions has not been studied much. Since 2008, several meet-in-the-middle preimage attacks on hash functions whose structures are similar to MD4 have been proposed [11,2,1,20,21]. The targets of these attacks are single-path hash functions, hence the attack techniques cannot be applied to double-branch hash functions directly. Mendel presented preimage attacks [13] on HAS-V [15], which is a double-branch hash function with a swapping function. The attack exploits a weakness of the HAS-V step-function, which cannot be applied to other hash functions. Saarinen [19] presented a preimage attack on FORK-256 [8], which is a 4-branch hash function. The attack has some similarity with ours; however, its success lies in the small number of steps in each branch and the weak message schedule of FORK-256. At ISPEC 2009, a preimage attack on 29 steps of RIPEMD with a complexity of 2115.2 was presented by Wang et al. [24]. Note that our work is independent of Ref. [24]. At CRYPTO’04, Joux analyzed the cascaded construction [10]. He showed that the cascaded construction does not provide the security of each product if an iterated hash function is used. Joux also explained that his technique cannot be applied to RIPEMD-256 and -320 due to the swapping function of intermediate values. This shows that the swapping function strengthens the security at some point. However, whether or not it can prevent other attacks is unclear. 1.2

Our Contribution

We present preimage attacks on several double-branch hash functions. We first present preimage attacks on step-reduced RIPEMD and then show how to find preimages of Extended MD4, RIPEMD-256, and RIPEMD-320 faster than the brute force attack does. The second result shows that using the swapping function does not provide the ideal security for double-branch hash functions. Details of each result are as follows. 1. We describe two preimage attacks on RIPEMD. The first attack, with a complexity of 2121 , provides pseudo-preimages of the first 33 out of 48 steps of RIPEMD. This can be converted to a preimage attack with a complexity of 2125.5 . Our attack is based on the meet-in-the-middle attack on MD5 and MD4 [1]. However, because RIPEMD runs two MD4 computations, the size of the internal state is also doubled. Therefore, the straightforward application of the meet-in-the-middle attack does not give any advantage. We focus on the differentials of two MD4 computations, and efficiently perform the meetin-the-middle attack. The second approach, with a complexity of 296 , provides pseudo-preimages of the intermediate 35 steps of RIPEMD. This can be converted to a preimage attack with a complexity of 2113 . Technically, we use the meet-in-the-middle attack and the idea of local collision. This strategy is partially similar to the preimage attack on 1-block MD4 [1]. 2. Extended MD4 provides 256-bit hash values. Our preimage attack on full Extended MD4 finds pseudo-preimages and preimages with complexities of 2229 and 2243.5 , respectively. We also show that pseudo-preimages and preimages

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

217

of the first 62 out of 64 steps of RIPEMD-256 are found with complexities of 2240 and 2249 , respectively, and pseudo-preimages and preimages of the intermediate 64 out of 80 steps of RIPEMD-320 are found with complexities of 2304 and 2313 , respectively. From a technical viewpoint, we show how to avoid the swapping functions. In Extended MD4, the message schedules of both sides are identical. We show that using swapping functions in such a structure does not prevent our attack. In RIPEMD-256 and -320, message schedules are different on each side. However, the attacker might be able to attack even if the swapping function is used. Then, by combining this idea with the splice-and-cut, partial-matching, and partial-fixing techniques proposed in Ref. [1,21], we attack those hash functions. Although results in this paper do not contradict the security claims of these hash functions, the known best attack on these hash functions is the brute force attack, and no one knows whether or not better attacks exist. Therefore, we believe that our analyses contribute to better understanding of the security of double-branch hash functions.

2 2.1

Description of Hash Functions MD4

MD4 takes arbitrary length messages as input and outputs 128-bit hash values. MD4 was proposed in 1990 by Rivest [17] and is a basic component of RIPEMD and Extended MD4. MD4 has the Merkle-Damg˚ ard structure. The input message is padded to be multiples of 512-bit. First, a single bit ‘1’ is appended, then bit ‘0’s are appended until the message length becomes 448 mod 512. Finally, the binary expression of the input message length is appended to the last 64 bits. The message is divided into 512-bit message blocks Mi . Then, the hash value is computed as follows:  H0 ← IV, Hi+1 ← md4(Hi , Mi ) for i = 0, 1, . . . , n − 1, where IV is the initial value defined in the specification, Hn is the output hash value, and md4: {0, 1}128 × {0, 1}512 → {0, 1}128 is the compression function of MD4 computed as follows. 1. 2. 3. 4.

Mi is divided into 32-bit message words mj (j = 0, 1, . . . , 15). p0 is set to Hi . Compute the following: pj+1 ← Rj (pj , mπ(j) ) for j = 0, 1, . . . , 47. Hi+1 (= p48 + Hi ) is output, where “+” denotes 32-bit word-wise addition. In this paper, we similarly use “−” to denote 32-bit word-wise subtraction.

Rj is the step function for Step j. Let aj , bj , cj , and dj be 32-bit values that satisfy pj = (aj , bj , cj , dj ). Rj (pj , mπ(j) ) is defined as follows: aj+1 = dj ,

bj+1 = (aj + Φj (bj , cj , dj ) + mπ(j) + kj ) ≪ sj ,

cj+1 = bj ,

dj+1 = cj ,

218

Y. Sasaki and K. Aoki

where Φj , kj , and ≪ sj are the bitwise Boolean function, constant value, and left rotation defined in the specification, respectively. π(j) is the MD4 message schedule. Note that Rj−1 (pj+1 , mπ(j) ) can be computed at almost the same complexity as that of Rj . 2.2

RIPEMD

RIPEMD [16] is an extension of MD4, whose compression function consists of two parallel copies of MD4’s compression function. These functions are identical but for the constant number in each step. We describe chaining variables for one side pj = (aj , bj , cj , dj ) and for the other side pj = (aj , bj , cj , dj ). The message schedule π(j), the constant numbers kj and kj , and the rotation number sj are different from those for MD4. These values are shown in Table 1. Finally, the outTable 1. Message schedule, constants, and rotation numbers of RIPEMD π(0), π(1), . . . , π(15) 0 1 2 3 4 π(16), π(17), . . . , π(31) 7 4 13 1 10 π(32), π(33), . . . , π(47) 3 10 2 4 9 0 ≤ i ≤ 15 ki 0x00000000 ki 0x50a28be6 s0 , s1 , . . . , s15 11 14 15 12 5 s16 , s17 , . . . , s31 7 6 8 13 11 s32 , s33 , . . . , s47 11 13 14 7 14

5 6 7 8 9 6 15 3 12 0 15 8 1 14 7 16 ≤ i ≤ 31 0x5a827999 0x00000000 8 7 9 11 13 9 7 15 7 12 9 13 15 6 8

10 11 12 13 14 9 5 14 2 11 0 6 11 13 5 32 ≤ i ≤ 47 0x6ed9eba1 0x5c4dd124 14 15 6 7 9 15 9 7 11 13 13 6 12 5 7

15 8 12

8 12 5

put of RIPEMD’s compression function Hn+1 = (Ha , Hb , Hc , Hd ) is computed by using Hn = (IVa , IVb , IVc , IVd ), p48 , and p48 as follows. Ha = IVb + c48 + d48 , Hc = IVd + a48 + b48 , 2.3

Hb = IVc + d48 + a48 , Hd = IVa + b48 + c48 .

RIPEMD-128, RIPEMD-160

RIPEMD-128 and RIPEMD-160, which output 128-bit and 160-bit hash values respectively, were proposed by Dobbertin et al. in 1996 [7]. They have been standardized by the International Organization for Standardization (ISO) [9]. A branch of RIPEMD-160 uses five 32-bit chaining variables. It computes 80 steps to produce the output value. Let the chaining variables in step j be pj = (aj , bj , cj , dj , ej ). Step function Rj (pj , mπ (j)) is as follows. aj+1 = ej , cj+1 = bj , dj+1 = cj ≪ 10, ej+1 = dj , bj+1 = ((aj + Φj (bj , cj , dj ) + mπ(j) + kj ) ≪ sj ) + ej .

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

219

Table 2. Message schedules of RIPEMD-160 r 0 16 32 48 64

π(r), π(r + 1), . . . , π(r + 15) π  (r), π  (r + 1), . . . , π  (r + 15) 0 1 2 3 4 5 6 7 8 9 101112131415 5 14 7 0 9 2 11 4 13 6 15 8 1 10 3 12 7 4 13 1 10 6 15 3 12 0 9 5 2 1411 8 6 11 3 7 0 13 5 101415 8 12 4 9 1 2 3 1014 4 9 15 8 1 2 7 0 6 1311 5 12 15 5 1 3 7 14 6 9 11 8 12 2 10 0 4 13 1 9 1110 0 8 12 4 13 3 7 1514 5 6 2 8 6 4 1 3 1115 0 5 12 2 13 9 7 1014 4 0 5 9 7 12 2 1014 1 3 8 11 6 1513 121510 4 1 5 8 7 6 2 1314 0 3 9 11

Between two copies of the compression function, the order of the Boolean functions, message schedules, constants, and rotation numbers are different. The message schedules are shown in Table 2. The output of RIPEMD-160 is computed in the same manner as that of RIPEMD. A branch of RIPEMD-128 uses 4 chaining variables and consists of 64 steps. The step function is the same as that of MD4 and RIPEMD. The Boolean functions and rotation numbers used in RIPEMD-128 are the same as those of the first 64 steps for RIPEMD-160, but the order is different. The message schedule for RIPEMD-128 is the same as that of the first 64 steps for RIPEMD160, which is shown in Table 2. Computation for the final output is also the same as that of RIPEMD. 2.4

Extended MD4, RIPEMD-256, and RIPEMD-320

Extended MD4 is an optional extension of MD4 proposed by Rivest to obtain 256-bit hash values [17]. Two copies of MD4 are run in parallel over the input. The first copy is the same as MD4. The second copy is computed with different IV and constants. To strengthen the data dependency between two copies, a swapping function is introduced, which exchanges the values of a16 and a16 , a32 and a32 , and a48 and a48 . The final output is obtained by concatenating both results. RIPEMD-256 and RIPEMD-320 are extensions of RIPEMD-128 and RIPEMD-160 for obtaining the double length hash values without needing a higher security level [7]. The output is achieved by computing the feedforward of IV in each branch and concatenating the results at the end of every application of the compression function. Interaction between two copies is introduced by a swapping function, which exchanges the values of a16 and a16 , b32 and b32 , etc.

3 3.1

Related Works Converting Pseudo-preimage Attack to Preimage Attack

Given a hash value Hn , a pseudo-preimage is a pair of (Hn−1 , M ) such that Hash(Hn−1 , M ) = Hn . In x-bit iterated hash functions, a pseudo-preimage attack whose complexity is 2y , y < x − 2 can be converted to a preimage attack x+y with a complexity of 2 2 +1 [14, Fact9.99].

220

3.2

Y. Sasaki and K. Aoki

Meet-in-the-Middle Preimage Attack

Aoki and Sasaki proposed a preimage attack based on the meet-in-the-middle attack [1]. They proposed three techniques named splice-and-cut, partial-matching, and partial-fixing. The splice-and-cut technique considers the first and last steps of the compression function as consecutive steps. Then, the compression function is divided into two chunks of steps so that each chunk includes independent message words, which are called neutral words. Then, a pseudo-preimage is computed by the meet-in-the-middle attack. The partial-matching technique can skip messages in several steps when checking the match in the meet-in-the-middle attack. It focuses on the property where not all the chaining variables are updated in each step. With this idea, we can partially compare two results, even if values of message words in several steps are not known. The partial-fixing technique enables an attacker to skip more steps. The idea is to fix a part of the neutral words so that an attacker can partially compute a chunk even if a neutral word for the other chunk appears. For example, consider the inversion of MD4: aj = (bj+1 ≫ sj ) − Φj (cj+1 , dj+1 , aj+1 ) − mπ(j) − kj . If the lower n bits of mπ(j) are fixed and thus known to the attacker and if other variables are fully known, the lower n bits of aj can be computed independently of the higher 32 − n bits. Since the internal state size of RIPEMD is double the output size, the straightforward application of the meet-in-the-middle attack does not give any advantage. 3.3

Analysis on Double-Branch Hashes and Cascaded Construction

At CRYPTO 2004, Joux proposed attacks on cascaded construction [10]. Joux showed how to generate multi-collisions of iterated hash functions and how to find collisions and preimages of the cascaded construction by using multicollisions. The success of Joux’s attack lies in the independency of the two hash functions in the cascaded construction, namely, multi-collisions of the iterated hash functions can be generated independently of the others. Joux explained that his technique would not be applied to RIPEMD-256 and -320 due to the dependency of the two compression functions caused by swapping functions. In conclusion, if swapping functions are used, no attack is known to break the preimage resistance of double-branch hash functions.

4

Preimage Attacks on RIPEMD

We present here two preimage attacks on RIPEMD. The first attack targets the first 33 steps and the second attack targets the intermediate 35 steps. 4.1

Attacks on First 33 Steps

Outline of Attack. Our attack is based on the meet-in-the-middle attack introduced in Section 3.2. However, since the internal state size is double the

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

k k k

1st chunk ps Start step

Δ=0 Δ=Δstart

2nd chunk

1st chunk Start step

p s’

221

k’ k’ k’

2nd chunk

Hn

Meet-in-the-middle

Fig. 2. Outline of strategy 1

output size, a direct application of the meet-in-the-middle attack cannot exceed the brute force attack. Our strategy to solve this problem is shown in Fig. 2. We separate the attack target so that one chunk is located in the first several steps and the other chunk is located in the last relatively long steps, and then we compare the results of the two chunks at the last feedforward operation which is performed in 128 bits. Assume ma and mb are neutral words, where ma is included in the first chunk but is not included in the second chunk, and mb is vice versa. Remember that message schedules for both sides are identical, hence if one side can be separated into two chunks, the other side can always be separated in the same manner. First, we fix all message words but ma and mb and fix chaining variables at the border of two chunks, e.g., fix ps and ps to compute the first and second chunks independently. We then inversely compute the first chunk with Rj−1 (pj+1 , mj ) and Rj −1 (pj+1 , mj ) for j = s − 1, s − 2, . . . , 0 by trying all values of ma and store the results in a table. Finally, we compute the second chunk with Rj (pj , mj ) and Rj (pj , mj ) for j = s, s + 1, . . . , 32 by trying all values of mb and then check whether the result matches items in the table. For consistency with the specification of RIPEMD, the values of p0 and p0 computed in the backward computation must be identical, because they are originally computed from the same IV . The differences of the computations for both sides are differences of the constant Δk only. Therefore, we fix intermediate chaining variables ps and ps to have a specific difference Δstart so that Δstart and Δk can be cancelled out in the backward computation. Set Up of Attack. We separate the 33 steps into 2 chunks as shown in Fig. 3. The border of the two chunks is between Steps 2 and 3; we therefore fix p3 and p3 so that their difference Δstart can cancel Δk in Steps 0–2. Now we trace the differentials in Steps 0–2 of both sides to determine the appropriate Δstart . The analysis is shown in Fig. 4.

222

Y. Sasaki and K. Aoki Step 0 1 2 index 0 1  2 first chunk Step 16 17 18 index 7 4 13

3 4 5 6 7 3 4 5 6 7

8 9 10 11 12 13 14 15 8 9 10 11  12 13 14 15 second chunk 19 20 21 22 23 24 25 26 27 28 29 30 31 1 10 6 15 3  12 0 9 5 14  2 11 8 second chunk skip Step 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 index 3 10  2 4 9 15 8 1 14 7 0 6 11 13 5  12 skip Excluded from the attack target

In RIPEMD, the message schedules of the two compression functions are identical. We separate them into two chunks in the same manner. Fig. 3. Chunks for first 33 steps of RIPEMD 0 a0 0

0 m0 Δk0 k0

0 b0

0 c0

0 d0

b1 (−Δk0)<<<s0

c1 0

d1 0

b2 (−Δk1)<<<s1

c2(−Δk0)<<<s0

d2 0

Φ0

<<< s0

a1 0 Φ1

0 m1 Δk1 k1

0? <<< s1

a2 0 0 m2 Δk2 k2

Δv

Φ2

<<< s2

a3 0

b3 (−Δv−Δk2)<<<s2

c3 (−Δk1)<<<s1

d3 (−Δk0)<<<s0

Bold font represents the value of differences. Fig. 4. Differences propagation in first three steps

The difference of a variable X is defined as ΔX = X  − X. The goal is determining Δa3 , Δb3 , Δc3 , and Δd3 so that Δa0 , Δb0 , Δc0 , and Δd0 become 0. Since message schedules for both sides are identical, Δmπ(j) is always 0. In the first chunk, m2 is the neutral word. Therefore, in every trial of the first chunk, the values of m2 and corresponding chaining variables are changed. In Fig. 4, we circled such variables. The analysis is as follows. Δb0 = 0: This can be easily achieved by setting Δa3 = 0. Δa0 = 0: Assume we can achieve Δb0 = Δc0 = Δd0 = 0. Then, Δa0 = 0 can be achieved by setting Δd3 = (−Δk0 ) ≪ s0 . Δc0 = 0: Assume we have finished fixing the values of a3 , a3 , c3 , c3 , d3 , and d3 . Then, the value and difference of the output of Φ2 are fixed. Let this difference be Δv. Finally, Δc0 = 0 is achieved by setting Δb3 = (−Δv − Δk2 ) ≪ s2 .

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

223

Δd0 = 0: Achieving Δd0 = 0 is complicated. We want to guarantee Δa1 = 0 regardless of the value of the neutral variable m2 . To achieve this, we need to fix the value of Φ1 independently of m2 . Since the function Φ1 is Φ1 (X, Y, Z) = (X ∧ Y ) ∨ (¬X ∧ Z) and Δc1 = Δd1 = 0, ΔΦ1 can be fixed to 0 by setting b1 = b1 . However, this is impossible since b1 and b1 must have differences. Consequently, we search for the exact value of b1 and b1 to minimize the Hamming weight of (b1 ⊕b1 ) so that the probability of ΔΦ1 = 0 is maximized. Remember that for each bit where b1 ⊕ b1 = 1, the equation ΔΦ1 = 0 is satisfied with a probability of 1/2. As we will explain later, we fix the lower 21 bits of m2 for the partialfixing technique. Consequently, the lower 21 bits of ΔΦ1 are fixed. Therefore, minimizing the Hamming weight of the upper 11 bits (HW 11 ) of (b1 ⊕ b1 ) is enough. We tried 232 values of b1 and confirmed that no value achieves HW 11 (b1 ⊕b1 ) ≤ 3 and many values achieve HW 11 (b1 ⊕b1 ) = 4. For example, b1 = 0xffffffff, b1 = 0x50a28be5 is the case. Finally, by choosing the value of b1 (= d3 ) to minimize the Hamming weight, the probability of ΔΦ1 = 0 is 2−4 . Partial-Matching and Partial-Fixing Techniques. As a result of computing the second chunk, we obtain p29 and p29 . By fixing the lower 21 bits of m2 , we can perform the meet-in-the-middle attack on a further 4 steps in forward computation, namely, up to Step 32. The equation we use for matching is Hb = IVc + d33 + a33 , where Hb is given and the upper 11 bits of IVc are all a29 0-20 m2 k29

all

b30 11-31

c30 all

d30 all

11-31

Φ30

<<< 13

b31 24-31 ( 2) c31 11-31

d31 all

b32

c32 24-31 ( 2)

d3211-31

b33

c33

d33 24-31 ( 2)

Φ31 <<< 12

a32 all all m3 k32

all d29

<<< 11

a31 all all m8 k31

all c29

Φ29

a30 all all m11 k30

all b29

Φ32 <<< 11

a33 11-31

Bold font represents the bit positions of known bits. Fig. 5. Partial-matching and partial-fixing techniques

224

Y. Sasaki and K. Aoki

produced from the first chunk. Therefore, we need to compute d33 from p29 and a33 from p29 . How we compute d33 and a33 is shown in Fig. 5. Since m2 is identical on both sides, the fixed bit positions in m2 are also identical on both sides. In Fig. 5, since the lower 21 bits of m2 are fixed, we can uniquely compute bits 11–31 of b30 . This produces bits 11–31 of Φ30 . In the addition of Φ30 , we cannot determine the carried number from bit position 10 to 11. Therefore, we consider both carried number patterns and obtain two candidates for bits 24–31 of b31 after the s30 (= 13)-bit left rotation. Then, we compute the upper 8 bits of d33 + a33 with consideration of the two candidates of carried number patterns from bit position 23 to 24. In conclusion, the second chunk produces 4 candidates for the upper 8 bits of d33 + a33 for given p29 and p29 , and thus, we can perform the 8-bit matching in 33-step RIPEMD. Remark: From a designer’s view, when results of two compression functions are merged, adding two values from different registers seems to be a good strategy against our attack. In fact, with only the partial-matching technique, attackers can skip only two steps in RIPEMD, whereas attackers can skip three steps in MD4. This is because the attacker needs to know the values of two different registers to compute each word of the output of RIPEMD. Attack Procedure. Our attack first finds pseudo-preimages and converts them to preimages. Therefore, our attack finds a 2-block preimage. Hence, we fix m13 , m14 , and m15 to satisfy padding for 2-block messages. Given a hash value H2 = (Ha , Hb , Hc , Hd ), the attack procedure is as follows. 1. Fix mi (i ∈ {2, 12, 13, 14, 15}) and the lower 21 bits of m2 to randomly chosen values. 2. Fix a3 , b3 , c3 to randomly chosen values and d3 to 0xffffffff. Then, compute a3 , b3 , c3 , and d3 to make Δstart , shown in Fig. 4. 3. (a) For all upper 11 bits of m2 , compute Rj−1 (pj+1 , mπ(j) ) and Rj−1 (pj+1 , mπ(j) ) for j = 2, 1, 0. (b) If Δp0 = 0, compute Hb − c0 and store (m2 , p0 , Hb − c0 )s in a table. 4. Compute Rj (pj , mπ(j) ) and Rj (pj  , mπ(j) ) for j = 3, 4, . . . , 11, and store p12 and p12 . 5. (a) For all m12 , compute Rj (pj , mπ(j) ) and Rj (pj , mπ(j) ) for j = 12, 13, . . . 28. (b) Compute bit positions 11 to 31 of b30 and b30 , then compute bit positions 24 to 31 of b31 for both carried number patterns as shown in Fig. 5. Then, compute bits 24–31 of d33 + a33 by considering both carried number patterns from bit 23 to 24. (c) For each item in the table, check whether bits 24–31, in total 8 bits, of d33 + a33 are matched with Hb − c0 . (d) If matched, compute p30 to p33 by the corresponding mi , and check whether or not all values are matched. (e) If all bits are matched, the corresponding message and p0 is a pseudopreimage.

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

225

Complexity Evaluation. Assume the complexity for computing 1 step is 1/33 33-step RIPEMD computations. The computational complexity of the above 3 procedure is as follows. Step 3a takes 211 · 33 . Since the success probability of 3b −4 7 11 −4 is 2 , 2 (= 2 · 2 ) items are stored in the table. Step 4 is negligible. Steps 5a 3 34 32 and 5b take 232 · ( 17 33 + 33 ). In 5b, 2 (= 2 · 2 · 2) items are produced. Therefore, 41 34 7 in 5c, 2 (= 2 · 2 ) pairs are compared, and after 8-bit matching for both carried number patterns, 233 (= 241 · 2−8 ) pairs will remain. In 5d, we compute 2 p30 and p31 at the complexity of 228 (= 233 · 64 ), and by applying additional 56-bit match and checking the correctness of the guess for the carried number patterns, 2−25 (= 233 · 2−56 · 2−2 ) pair will remain. Furthermore, by computing p31 and p32 at negligible complexity, we obtain 2−89 (= 2−25 · 2−64 ) pair that is matched with 128 bits. The dominant complexity so far is 232 of 5a and 5b. Therefore, by repeating the attack 289 times, we obtain a pseudo-preimage at the complexity of 2121 (= 232 × 289 ). Finally, by applying the technique in Section 3.13 , this pseudo-preimage attack is converted to the preimage attack with a complexity of 2125.5 . In the above procedure, a memory is used to store 27 (m2 , p0 , Hb − c0 )s at step 3b. Therefore, the memory complexity of this attack is approximately 27 × 6 words. 4.2

Attack on Intermediate 35 Steps

Similar to the attack on the first 33 steps, this attack is a meet-in-the-middle attack, but the approach is different. The strategy is shown in Fig. 6. In this approach, we start the meet-in-the-middle attack from an intermediate step of either two copies of the compression functions. Let us start from the left side. We separate the compression function so that one chunk includes two neutral messages that can form a local collision. This strategy was first used for the 1-block preimage attack on MD4 [1]. Due to the property of the local collision, the value of a pseudo-preimage is always fixed to a constant value. Therefore, we can consider the feedforward as constant addition and can compute the second chunk independently of the first chunk. Finally, we perform the meet-in-the-middle attack at the right side. The chunk we use is shown in Fig. 7. The attack procedure is similar to Aoki and Sasaki’s one-block MD4 preimage attack [1], and how to construct a local collision in the second round is explained in Leurent’s MD4 preimage attack [11]. Therefore, because of the limited space, we omit the detailed attack procedure. Since both of the first and second chunks have 232 free bits, the complexity of finding the pseudo-preimage is 296 , and this attack, at the complexity of 2113 , is converted to the preimage attack. The memory complexity is approximately 232 × 5 words.

3

Several techniques converting partial-pseudo-preimages to preimages have been proposed [11,3]. However, since our attack does not find partial-pseudo-preimages efficiently, these techniques cannot be applied.

226

Y. Sasaki and K. Aoki

Constant 1st chunk

1st chunk

m6 m0

m6 Local collision

m0 Meet-inthe-middle

Start step

m2

m2 2nd chunk

2nd chunk

m2

m2

Hn

Fig. 6. Outline of strategy 2 Step index

0

3 4 3 4 excluded Step 16 17 18 19 20 index 7 4 13 1 10

10 10 first 21 22 23 24 25 26 6 15 3 12 0 9 first chunk Step 32 33 34 35 36 37 38 39 40 41 42 index 3 10 2 4 9 15 8 1 14 3 0 second chunk

 0

1 1

2

 2



5 5



6

 6

7 8 7 8

9 9



11 12 11 12 chunk 27 28 5 14

13 14 15 13 14 15

29 30 31 8 2nd chunk 43 44 45 46 47 6 11 13 5 12 excluded

 2 11



Chunk separations are identical on both sides.

Fig. 7. Chunks for intermediate 35 steps of RIPEMD

5

Cryptanalyses on Double-Branch Hash Functions

In this section, we analyze the preimage resistance of double length parallel hash functions. Specifically we give a study of relations of the splice-and-cut technique and swapping functions. 5.1

Extended MD4

In Extended MD4, two copies of MD4 with different IV and constants are computed. The swapping function of Extended MD4 exchanges the values of a16 and a16 , a32 and a32 , and a48 and a48 . MD4 has already been broken by using the splice-and-cut technique [1]. In this research, we found that the swapping function of Extended MD4 cannot prevent the splice-and-cut technique, namely, preimages are generated by almost the same approach as MD4. This is caused by the fact that the message schedules of two MD4 computations are exactly the same as original MD4. Due to this

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

227

fact, when we compute chunks in one side, we can also compute the value for the other side. Since we know the values for both sides, we can exchange them according to the swapping function. This means the swapping functions do not contribute to prevent our attack. The chunk separation is the same as that shown in Ref. [1, Fig.5]. However, the partial-fixing technique can be improved for Extended MD4. In this attack, since we compare the results of two chunks on both compression functions, the number of bits matched by the meet-in-the-middle attack can increase. This enables us to reduce the fixed bits in neutral words, hence free bits in neutral words increase and the meet-in-the-middle attack becomes efficient. By the partial-fixing technique, we fix the lower 5 bits of the neutral word and examine the 30-bit matching (= 5 bits × 6 words). This results in the pseudopreimage attack4 with a complexity of 2229 . This, with a complexity of 2243.5 , is converted to a preimage attack with the algorithm explained in Section 3.1. The memory complexity is approximately 227 × 11 words. 5.2

RIPEMD-256 and RIPEMD-320

In RIPEMD-256 and -320, the message orders of two copies of the compression functions are different. Therefore, different from Extended MD4, the attack cannot be applied in a straightforward manner. Note that the swapping function exchanges the value of a16 and a16 , b32 and b32 , c48 and c48 , and so on. To attack RIPEMD-256, we first search for a pair of neutral words that can attack as many steps as possible on either side. Then, on the other side, we check if we can divide the steps into two chunks so that the intermediate chaining variables that are used in the swapping function can also be computed. Selected neutral words and chunks are shown in Fig. 8. As shown in Fig. 8, we skip eight steps when we attack the right side of MD4 by using the partial-matching and partial-fixing techniques. As introduced in Ref. [1], the partial-fixing technique, which increases the matching candidate twice, enables us to partially compute four steps in backward computation and one step in forward computation. The partial-matching technique enables us to skip three steps. Finally, eight steps can be skipped. Avoid Swapping Function. In this attack, we assume that a16 and a16 , b32 and b32 , and c48 and c48 are exchanged. d64 and d64 are not exchanged since Step 63 is excluded from the attack target. As you can see in Fig 8, b32 and b32 are included in the second chunk and c48 and c48 are included in the first chunk. Therefore, by computing both sides simultaneously, we can compute the values that follow the swapping function. a16 and a16 are included in the skipped steps. When we check the matching of the results of both chunks, we do not use the values of a16 and a16 . Therefore, swapping a16 and a16 does not affect the attack complexity. 4

If the previous attack is applied without improving the partial-fixing technique, this complexity would be 2241 .

228

Y. Sasaki and K. Aoki

Step index L

 0

0

1 1

2 2

index R

5

14 7

3 3

4 4

 0

9

5 6 5 6

7 7

8 8

9 9

 10 11

10 11 12 13 14 15 12 13 14 15

2 11 4 13 6 first chunk

15 8

1

 10

3 12 skip

Step 16 17 18 19 20 21 22 23 24 25 26 27 28 index L 7 4 13 1 10 6 15 3 12 0 9 5 2 second index R 6 11 3 7 0 13 5 10 14 15 8 12 4 skip second chunk

29 30 31 14 11 8 chunk 9 1 2

Step 32 33 34 35 36 37 38 39 40 41 42 43 44 index L 3 10 14 4 9 15 8 1 2 7 0 6 13 second chunk first chunk index R 15 5 1 3 7 14 6 9 11 8 12 2 10 second chunk

45 46 47 11 5 12

 









 0

Step 48 index L 1 first index R 8

4 13 first chunk

49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 9 11 10 0 8 12 4 13 3 7 15 14 5 6 2 chunk excluded 6 4 1 3 11 15 0 5 12 2 13 9 7 10 14 first chunk excluded







Fig. 8. Chunks for first 62 steps of RIPEMD-256

Outline of Attack Procedure. Fix messages mj , j ∈ / {0, 10}, p39 , and p45 ,  where pj is a variable for the left side and pj is for the right side. In the first chunk, compute Rj (pj , mπ(j) ) and Rj (pj , mπ(j) ) to obtain p48 and p48 and swap c48 and c48 to follow the swapping function. Then, we compute Rj (pj , mπ(j) ) until we obtain p13 and store the results in a table. In the second chunk, compute Rj−1 (pj , mπ(j) ) and Rj−1 (pj , mπ(j) ) to obtain p32 and p32 and swap b32 and b32 to follow the swapping function. Then, we compute Rj−1 (pj , mπ(j) ) until we obtain p21 and check whether the result matches items in the table by using the partial-matching and partial-fixing techniques. Hence, a pseudo-preimage for the right side is found efficiently, and by repeating this attack 2128 times, one of the resulting pseudo-preimages will also be the pseudo-preimage for the left side. Complexity Estimation. When we attack the right side, we use the splice-andcut technique. Since the partial-fixing technique is used, the complexity to find a pseudo-preimage of the right side is 2112 . If a pseudo-preimage of the right side is found, we check whether the message is also a pseudo-preimage of the left side. This occurs with a probability of 2−128 . Therefore, with a complexity of 2240 , we obtain a pseudo-preimage, and this, with a complexity of 2249 , is converted to a preimage. The memory complexity is approximately 216 × 9 words.

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

229

Preimage Attack on Intermediate 64 Steps of RIPEMD-320. With the same strategy as the attack on RIPEMD-256, the intermediate 64 steps of RIPEMD-320 can be attacked. From Steps 12–75 are our attack target, and we select m10 and m11 as neutral words. Since the attack strategy is the same as that of RIPEMD-256, we show details of the chunks in Appendix A, Fig. 9. Since the partial-fixing technique is necessary, the complexity of the pseudopreimage attack is 2304 , and this, with a complexity of 2313 , is converted to a preimage attack. The memory complexity is approximately 216 × 7 words.

6

Conclusion

We first described preimage attacks on RIPEMD. The first attack focuses on differentials of two copies of the compression function and attacks the first 33 steps. The second attack uses local collision and attacks the intermediate 35 steps. We next analyzed the preimage resistance of double-length hash functions. Our attacks find preimages of full Extended MD4, the first 62 steps of RIPEMD256, and the intermediate 64 steps of RIPEMD-320 faster than the brute force attack does. We believe that analyses presented in this paper will contribute to greater understanding of the security of double-branch hash functions.

References 1. Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Workshop Records of SAC 2008, Sackville, Canada, pp. 82–98 (2008) 2. Aumasson, J.-P., Meier, W., Mendel, F.: Preimage attacks on 3-pass HAVAL and step-reduced MD5. In: Workshop Records of SAC 2008, Sackville, Canada, pp. 99– 114 (2008); ePrint version is available at IACR Cryptology ePrint Archive: Report 2008/183, http://eprint.iacr.org/2008/183.pdf 3. Canni´ere, C.D., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008); (slides on preliminary results were appeared at ESC 2008 seminar http://wiki.uni.lu/esc/) 4. Debaert, C., Gilbert, H.: The RIPEMDL and RIPEMDR improved variants of MD4 are not collision free. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 65–74. Springer, Heidelberg (2002) 5. Dobbertin, H.: Cryptanalysis of MD4. Journal of Cryptology 11(4), 253–272 (1997); First result was announced at FSE 1996 6. Dobbertin, H.: RIPEMD with two-round compress function is not collision-free. Journal of Cryptology 10(1), 51–69 (1997) 7. Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996) 8. Hong, D., Chang, D., Sung, J., Lee, S., Hong, S., Lee, J., Moon, D., Chee, S.: A new dedicated 256-bit hash function: FORK-256. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 195–209. Springer, Heidelberg (2006) 9. International Organization for Standardization. ISO/IEC 10118-3:2004, Information technology – Security techniques – Hash-functions – Part 3: Dedicated hashfunctions (2004)

230

Y. Sasaki and K. Aoki

10. Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) 11. Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008) 12. Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: On the collision resistance of RIPEMD-160. In: Katsikas, S.K., L´ opez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 101–116. Springer, Heidelberg (2006) 13. Mendel, F., Rijmen, V.: Weaknesses in the HAS-V compression function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007) 14. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997) 15. Park, N.K., Hwang, J.H., Lee, P.J.: HAS-V: A New Hash Function with Variable Output Length. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 202–216. Springer, Heidelberg (2001) 16. RIPE Integrity Primitives, Berlin, Heidelberg, New York. Integrity Primitives for Secure Information Systems, Final RIPE Report of RACE Integrity Primitives Evaluation, RIPE-RACE 1040 (1995) 17. Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991); Also appeared in RFC 1320, http://www.ietf.org/rfc/rfc1320.txt 18. Ronald, L.R.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992), http://www.ietf.org/rfc/rfc1321.txt 19. Saarinen, M.-J.O.: A meet-in-the-middle collision attack against the new FORK256. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 10–17. Springer, Heidelberg (2007) 20. Sasaki, Y., Aoki, K.: Preimage attacks on 3, 4, and 5-pass HAVAL. In: Pieprzyk, J.P. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 253–271. Springer, Heidelberg (2008) 21. Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, New York (2009) 22. U.S. Department of Commerce, National Institute of Standards and Technology. Federal Register 72(212) (November 2, 2007), http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf 23. U.S. Department of Commerce, National Institute of Standards and Technology. Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008), http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf 24. Wang, G., Wang, S.: Preimage attack on hash function RIPEMD. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 274–284. Springer, Heidelberg (2009) 25. Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)

Meet-in-the-Middle Preimage Attacks on Double-Branch Hash Functions

A

231

Chunks for Intermediate 64-Step RIPEMD-320

Step 0 index L 0

1 1

2 2

3 3

index R 5 14

7

0

4 4

5 6 7 5 6 7 excluded 9 2  11 4 excluded

8 8

9 10 11 12 13 14 15 9  10  11 12 13 14 15 first chunk 13 6 15 8 1  10 3 12 first chunk

Step 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 index L 7 4 13 1  10 6 15 3 12 0 9 5 2 14  11 8 first chunk skip index R 6  11 3 7 0 13 5  10 14 15 8 12 4 9 1 2 Step 32 33 34 35 36 37 38 39 40 index L 3  10 14 4 9 15 8 1 2 skip second index R 15 5 1 3 7 14 6 9  11 Step 48 49 50 51 52 53 54 index L 1 9  11  10 0 8 12 2nd chunk index R 8 6 4 1 3  11 15 second

41 42 43 44 45 46 47 7 0 6 13  11 5 12 chunk 8 12 2  10 0 4 13 second chunk

55 56 57 58 59 60 61 62 63 4 13 3 7 15 14 5 6 2 first chunk 0 5 12 2 13 9 7  10 14 chunk first chunk

Step 64 65 66 67 68 69 70 71 72 73 74 75 index L 4 0 5 9 7 12 2  10 14 1 3 8 first chunk index R 12 15  10 4 1 5 8 7 6 2 13 14 first chunk

76 77 78 79 6 15 13 excluded 0 3 9  11 excluded

 11

Fig. 9. Chunks for intermediate 64 steps of RIPEMD-320

On the Weak Ideal Compression Functions Akira Numayama and Keisuke Tanaka Department of Mathematical and Computing Sciences, Tokyo Institute of Technology W8-55, 2-12-1 Ookayama Meguro-ku, Tokyo 152-8552, Japan {numayam4,keisuke}@is.titech.ac.jp

Abstract. In SAC 2006, Liskov introduced the weak ideal compression functions. He proved that a hash construction based on these functions is indifferentiable from the random oracle. In ICALP 2008, Hoch and Shamir applied Liskov’s idea and proved the indifferentiability of another hash construction. However, these proofs of indifferentiability can have gaps in certain situations. In this paper, we formalize these situations and propose the simulation method which covers these situations. In particular, we apply our simulation method to the latter proof of indifferentiability, and concretely analyze the security of the latter hash construction. We can derive a lower bound to find a collision in the concatenated hash construction, which covers the gaps of the original proof. Keywords: random oracle, weak ideal compression function, indifferentiability, hash construction.

1 Introduction In cryptography, hash functions have an important role. There have been numerous researches on the construction of hash functions. In order to handle messages of arbitrary length, it is common way to design hash functions based on the Merkle-Damgård iterated construction [4,12], which repeatedly applies a compression function to each successive block of the message. Let f be a compression function and let IV be a fixed initial value. Then, the Merkle-Damgård iterated construction can be described as follows. H(M) = f ( f (...( f (IV, m1 ), m2 ), . . . ), mk ), where M = m1  m2  · · ·  mk is a k-block message. This design concept is in fact applied to the standard hash functions like SHA-1 [13] and MD5 [15]. There are many security properties for hash functions such as collision resistance and first-preimage resistance (one-wayness). Hash functions used in cryptography should have these properties. In particular, SHA-1 and MD5 were expected to be collision resistant. However, recent cryptanalyses of hash functions have found significant attacks [17,18] against various hash functions, including SHA-1 and MD5. Furthermore, there have been found many generic attacks [6,9,8] against the iterated hash functions. 1.1 Previous Works The attacks mentioned above have brought our attention to the design of hash functions. A number of research have studied it and its security. C. Boyd and J. Gonz´alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 232–248, 2009. c Springer-Verlag Berlin Heidelberg 2009 

On the Weak Ideal Compression Functions

233

Indifferentiability framework: The notion of indifferentiability introduced by Maurer, Renner, and Holenstein [11] is useful in order to analyze the security of hash constructions. It is similar to the concept of indistinguishability, and it describes that two systems are indistinguishable despite having extra access to the internal structure of the systems. If we can prove a hash function is indifferentiable from the random oracle, then it has all the security properties of the random oracle model, including collision resistance and first-preimage resistance. Coron, Dodis, Malinaud, and Puniya [2] applied the indifferentiability framework to the Merkle-Damgård iterated construction, and showed that some variants of the Merkle-Damgård iterated construction can be proved to be indifferentiable from the random oracles if the ideal primitives are used as the underlying compression functions. Now, we review the formal definition of the indifferentiability. Let C Γ be a hash construction with access to oracle Γ. Here, Γ represents the underlying ideal primitive, and let ROh represent the random oracle which idealizes a hash function h. Then, the indifferentiability of C Γ from ROh is defined as follows. Definition 1 (Indifferentiability [11,2]). A construction C Γ is (q, ) indifferentiable in the presence of Γ from a random oracle ROh if there exists a polynomial-time simulator S , such that for every distinguisher D which uses at most q oracle queries, the following holds:   Pr[DCΓ ,Γ = 1] − Pr[DROh ,S ROh = 1] < .   Notice that this definition is slightly different from that of indistinguishability in that the simulator has to simulate the behavior of Γ maintaining consistency not only with Γ itself but also with the random oracle ROh . The following example illustrates the fact that a simple iterated hash construction is f not indifferentiable from the random oracle. Let C RO be a simple iterated hash construction built from a finite length input random oracle RO f which idealize a compression function f : {0, 1}n × {0, 1}m → {0, 1}n . That is, for a k-block message M = f m1  m2  · · ·  mk , the hash construction C RO is described as follows. C RO (M) = RO f (RO f (...(RO f (IV, m1 ), m2 ), . . . ), mk ). f

Then, two pairs (C RO , RO f ) and (ROh , S RO ) are differentiable for any simulator S . Let (α, β) be one of the pairs. We can construct the distinguisher D as follows. First, the distinguisher D queries the hash value of m1 to α as g1 = α(m1 ). Then, D queries the hash value of (g1 , m2 ) to β as g2 = β(g1 , m2 ). Finally, D queries the hash value of m1 m2 to α as g = α(m1  m2 ). If g = g2 , the distinguisher returns 1, and otherwise 0. In the f case of (C RO , RO f ), the equality g = g2 always holds and D returns 1 with probability h 1. On the other hand, in the case of (ROh , S RO ), the simulator S does not know m1 and hence does not know the value g = ROh (m1 m2 ) which distributes uniformly at random. Therefore, on input (g1 , m2 ), he cannot maintain the consistency with the random oracle h ROh . That is, he cannot make the value g2 = S RO (g1 , m2 ) such that the equality g = g2 holds. In this case, D returns 1 with negligible probability. f

h

234

A. Numayama and K. Tanaka

The above example shows that for the indifferentiability the simulator S needs to simulate the behavior of Γ maintaining both consistency with (1) Γ itself and (2) the random oracle ROh . Model of weak ideal compression functions: Liskov [10] introduced the model of weak ideal compression functions. This model idealizes the compression functions as the random oracle and captures the vulnerability of compression functions to the first-preimage finding attack by the additional attack oracles. Let f : {0, 1}n × {0, 1}m → {0, 1}n be a compression function. There are three oracles in this model, i.e., the forward oracle, the backward oracle, and the bridging oracle. Given (x, y), the forward oracle provides the value z = f (x, y). The backward oracle and the bridging oracle provide the firstpreimages of f . Given (y, z), the backward oracle provides one of x such that z = f (x, y) uniformly at random. Similarly, given (x, z), the bridging oracle provides one of y such that z = f (x, y) uniformly at random. The latter two oracles make the compression function no longer first-preimage resistant. In [10], he presented a new hash construction, the Zipper hash construction, and proved indifferentiability in this model. That is, the Zipper hash construction is indifferentiable from the random oracle if the underlying compression functions are weak ideal compression functions. Moreover, Hoch and Shamir [5] applied Liskov’s idea and showed a similar result for the XORed hash construction C(M) = F(M) ⊕ G(M), where both the hash functions F and G are iterated. 1.2 Our Contributions First, we point out that the simulators in [10,5] can have some problems in certain situations when the simulators simulate the behavior of Γ maintaining the consistency with Γ itself. Then, we formalize these situations and propose the simulation method which covers these gaps. In particular, we apply our simulation method to the proof of indifferentiability in [5], and concretely analyze the security of the XORed hash construction. We can derive a lower bound to find a collision in the concatenated hash construction, which covers the gaps of the original proof [5]. Problems in the previous works: Liskov [10] proposed the Zipper hash construction and proved it indifferentiable from the random oracle in the model of weak ideal compression functions. There are three oracles in this model. Let Γ represent these three oracles. In order to prove the indifferentiability, he constructed the simulator S which simulates the behavior of Γ maintaining both consistency with (1) Γ itself and (2) the random oracle ROh . While the latter consistency is satisfied by his simulator, the former consistency is not always satisfied. The problem of Liskov’s simulator is as follows: In the simulation of the backward oracle (resp. the bridging oracle), Liskov’s simulator always provides new x (resp. new y). In the case of the bridging oracle, if m is sufficiently larger than n, then each pair of (x, z) can have an adequate number of possible answers. Therefore, his simulator can work in this case. However, in the case of the backward oracle, some of the pairs (y, z) have multiple possible answers, but some have no answers. The simulator has to take into account this fact in order to maintain the consistency.

On the Weak Ideal Compression Functions

235

Hoch and Shamir [5] and Numayama, Isshiki, and Tanaka [14] proposed answers to this problem. Hoch and Shamir [5] mentioned it in the same indifferentiability context and in the same model of weak ideal compression functions. In contrast, Numayama et al. mentioned it in the reduction context and in a bit relaxed model. In particular, Hoch and Shamir [5] showed it in the case that m is sufficiently larger than n, and they mentioned that they could also do in the same way in the case that m is not sufficiently larger than n. However, if we carefully observe what will occur in such a case, we see that we cannot simply extend their simulator. We will describe the problem of their simulator in Section 4. In this paper, we formalize this problem in order to cover the case that m is not sufficiently larger than n. We propose the simulation method of the forward oracle, the backward oracle, and the bridging oracle. Our simulation method is based on the simulation method in [14]. By using our simulation method, we can also prove the indifferentiability of the Zipper hash construction and the XORed hash construction in the case that m is not sufficiently larger than n. A lower bound for finding collisions of the concatenated hash construction: Joux [6] found a multicollision attack to find collisions against the concatenated hash construction H(M) = F(M)  G(M) when at least one of the underlying hash functions F and G are iterated. If the outputs of F and G are n bits, then his attack succeeds in finding a collision in expected time O(n2n/2 ). This is much faster than the birthday paradox based attack, which takes expected time O(2n ) to find a collision for any function of 2nbit output. His result implies that the concatenated hash construction does not always improve the security of underlying hash functions. In Joux’s attack, he used the birthday attack to find collisions in the underlying compression functions of F or G. It costs O(2n/2 ) time to find a collision. Joux then posed the question whether the ability to find collisions efficiently in both the underlying compression functions of F and G can help the attacker to improve the complexity of his attack. Hoch and Shamir [5] showed that in the model of weak ideal compression functions, the XORed hash construction C(M) = F(M) ⊕ G(M) is indifferentiable from the random oracle when less than O(2n/2 ) queries are made. They concluded that since finding collisions in H(M) = F(M)  G(M) implies finding collisions in C(M) as well, the indifferentiability of C(M) will give a lower bound on the number of queries required to find a collision in H(M). Their result proved that even in a powerful attack scenario where the attacker can find not only collisions but also first-preimages in all the compression functions in unit time, it is required O(2n/2 ) time to find a collision in the concatenated hash construction. We note that they showed this result in the case that m is sufficiently larger than n, where m, n are the parameters for the underlying compression functions f, g :{0, 1}n × {0, 1}m → {0, 1}n . In contrast to their result, we formally prove the indifferentiability of C(M) including the case that m is not sufficiently larger than n. We can derive a lower bound such that in the same attack scenario as in [5], finding a collision in the concatenated hash construction requires more than O(2m/4 ) or O(2n/4 ) time in the case that m is not sufficiently larger than n.

236

A. Numayama and K. Tanaka

Organization: In Section 2, we review the model of weak ideal compression functions. First, we point out the problem in [10], and consider the simulation method in a simple restricted version in Section 3. Then, in Section 4, we point out the problem in [5], and consider the simulation method in the full version. Section 5 shows an application of our simulation method to the XORed hash construction. Finally, Section 6 concludes this paper.

2 Model of Weak Ideal Compression Functions 2.1 Notation If D is a distribution, x ← D denote that x is sampled according to D, and let fD (x) be the probability mass function of distribution D. Let Bn(N, p) be the binomial distribution with N trials and success probability p. Let S be a finite set. Let s ← S denote that s is sampled from the uniform distribution on S . #S denotes the number of elements in S . If A is a probabilistic machine and x is an input, let A(x) denote the output distribution of A on input x. Finally, for a table T = {(x, y)}, we define T(y) = {( x˜, y˜ ) ∈ T | y = y˜ }. Similarly, for a table T = {(x, y, z)}, we define T(y) = {( x˜, y˜, z˜) ∈ T | y = y˜ } and T(y, z) = {( x˜, y˜, z˜) ∈ T | y = y˜, z = z˜}. 2.2 Model Let X, Y, and Z be finite sets. The model of weak ideal compression functions first introduced by Liskov [10] has a compression function f chosen randomly from all the functions such that f : X × Y → Z. That is, f maps an element (x, y) ∈ X × Y to an element f (x, y) = z ∈ Z. Let T f = {(x, y, f (x, y)) | (x, y) ∈ X×Y} be the table which defines the correspondence of all the elements in X ×Y with the elements in Z. That is, there is an entry (x, y, z) ∈ T f if and only if z = f (x, y) holds. We note that we can identify the compression function f with the table T f . In this model there are three oracles, i.e., the forward oracle, the backward oracle, and the bridging oracle. These oracles are defined as follows: Forward Oracle F wO f : Given (x, y), the forward oracle returns z such that (x, y, z) ∈ Tf Backward Oracle BwO f : Given (y, z), if there is any entry (x, y, z) ∈ T f , then the backward oracle returns such x uniformly at random. Otherwise, it returns ⊥. Bridging Oracle BrO f : Given (x, z), if there is any entry (x, y, z) ∈ T f , then the bridging oracle returns such y uniformly at random. Otherwise, it returns ⊥. Remark 1. In the previous works [10,5], they identified the forward oracle and the underlying compression function. However, in this paper as in [14] we explicitly distinguish them and make the forward oracle to be the interface to the underlying compression function. This setting helps us to make the model of weak compression functions well-defined.

On the Weak Ideal Compression Functions

237

2.3 Difference from the Random Oracle Model We note an important difference between the random oracle model and the model of weak ideal compression functions. Let h : X × Y → Z be the hash function in the random oracle model, and let Th be the table Th = {(x, y, h(x, y)) | (x, y) ∈ X × Y}. Furthermore, let ROh be the random oracle, which provide z = h(x, y) when we query the hash value of (x, y). In the random oracle model, each output of the random oracle ROh is independent of the other entry in the table Th and uniformly distributed. This property of the random oracle model is called uniformity. In contrast to the situation in the random oracle model, when it comes to the model of weak ideal compression functions, this property is not easily attained. This is because, when we query (y, z), the backward oracle uniformly returns one of the preimages of z under the function fy (x) = f (x, y), and hence if there are nyz elements, then it outputs one of them with probability n1yz . Here, some information on nyz may be revealed, and each entry in the table T f has some relation depending on nyz . In order to verify this situation, let us consider the following extreme case. Let z∗ = f (x∗ , y∗ ) for some (x∗ , y∗ ) ∈ X × Y, and let ny∗ z∗ be the number of the preimages of z∗ under the function fy∗ (x) = f (x, y∗ ). If ny∗ z∗ = 1, then the backward oracle always returns the same x∗ on input (y∗ , z∗ ). In this case, we know the information that ny∗ z∗ = 1 through the backward oracle. This implies that there is exactly one element that maps to z∗ under the function fy∗ (x) = f (x, y∗ ), and for any x  x∗ the value F wO f (x, y∗ ) cannot be z∗ , i.e., the value F wO f (x, y∗ ) does not strictly follow the uniform distribution on Z. Therefore, we no longer have the uniformity in the model of weak ideal compression functions.

3 Our Simulation Methods (Restricted Version) In this section, we begin by considering the simulation in the simple restricted version where we have only the forward oracle and the backward oracle available, but not the bridging oracle. The simulation in the full version is given in Section 4. Before giving our methods, let us review the simulation in the random oracle model. In the random oracle model, each entry in the table is independent and uniformly distributed. That is, the random oracle model has the uniformity. Therefore, in a standard way, we simulate the random oracle by maintaining a table T that is initially empty as the following algorithm Std.RO (Algorithm 1). In contrast to the simulation in the random oracle model, when it comes to the restricted model of weak ideal compression functions, there are two difficulties in the simulation. First, in the restricted model of weak ideal compression functions, we need to simulate the backward oracle in addition to the forward oracle, i.e., when the value (y, z) is queried to the backward oracle, we need to uniformly return one of the preimages of z under the function fy (x) = f (x, y). However, we do not know the number of the preimages of z under the function fy (x) = f (x, y), and hence we cannot uniformly return one of them. Second, each entry in the table is no longer independent because some information about the number of the preimages of z under the function fy (x) = f (x, y) are

238

A. Numayama and K. Tanaka

Algorithm Std.RO( xˆ, yˆ) 1. If ( xˆ, yˆ , z) ∈ T for some z, then return z. 2. Otherwise, (a) pick uniformly z ← Z, (b) insert ( xˆ, yˆ, z) in the table T, and (c) return z. Algorithm 1. Standard simulation method of the random oracle

revealed through the backward oracle, i.e., the model of weak ideal compression functions does not have the uniformity. Therefore, in the simulation of the forward oracle, when the hash value of (x, y) is queried, we cannot do as in the algorithm Std.RO. 3.1 Problem of Liskov’s Simulation Method In the restricted model of weak ideal compression functions, the above two difficulties prevent us to simply simulate both the forward oracle and the backward oracle. Let X = Z = {0, 1}n and Y = {0, 1}m , i.e., f : {0, 1}n × {0, 1}m → {0, 1}n be the compression function. The problem of Liskov’s simulator is as follows: In the simulation of the backward oracle (resp. the bridging oracle), Liskov’s simulator always provides new x (resp. new y). In the case of the bridging oracle, if m is sufficiently larger than n, then each pair of (x, z) has an adequate number of possible answers. Therefore, his simulator can work in this case. However, in the case of the backward oracle, some of the pairs (y, z) have multiple possible answers, but some have no answers. The simulator has to take into account this fact in order to maintain the consistency. Hoch and Shamir [5] and Numayama et al. [14] proposed answers to this problem independently. Hoch and Shamir proposed the simulation method in the model of weak ideal compression functions, and considered to manage the number of preimages according to the Poisson distribution. Their simulation method seems reasonable in the restricted model of weak ideal compression functions. However, they did not prove it. Numayama et al. proposed the simulation method in the weakened random oracle models where the argument of the function is restricted to one, i.e., the underlying function is z = fy (x) = f (x, y) for fixed y. They considered to manage the number of preimages according to the binomial distribution and proved that their simulation method can simulate the random oracle and the first-preimage oracle in the weakened random oracle models, which correspond to the forward oracle and the backward oracle, in the restricted model of weak ideal compression functions, respectively. In this paper, we apply the idea of Numayama et al. to the simulation of the forward oracle and the backward oracle in the restricted model of weak ideal compression functions. This is because the simulation methods of Numayama et al. was proved their validity. 3.2 Solution for the Problem of Liskov’s Simulation Method In the restricted case, it is easy to simulate both the forward oracle and the backward oracle by using the idea of Numayama et al. We show the reason why we can apply

On the Weak Ideal Compression Functions

239

Table 1.

yj ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗

the simulation method of the random oracle and the first-preimage oracle, where the underlying hash function is z = fy (x) = f (x, y) for fixed y. The correspondence of the hash value zi j = f (xi , y j ) is described in Table 1. Given (y, z), in order to simulate the backward oracle, it only requires the number of preimages of z under the function fy (x) = f (x, y), and this number only has an effect on the corresponding y’s column. This effect is described by the gray color in Table 1. Furthermore, there is nothing else except this number which has an effect on the other entries in Table 1 which are not yet determined. Therefore, for each y ∈ Y the function fy (x) (each y’s column in Table 1) is mutually independent, and we can apply the simulation method proposed in [14] to each function fy (x) in order to simulate the forward oracle and the backward oracle in this restricted model of weak ideal compression functions where the bridging oracle is not available. In Appendix A, we give the concrete algorithms FwOBw and BwOBw which simulate R R the forward oracle and the backward oracle, respectively. The main idea of our simulation methods is to manage the two tables T and Lyz which are initially empty. The table T has entries (x, y, z) in order to manage the correspondence of z = f (x, y) as in the standard simulation method in the random oracle model. On the other hand, the table Lyz has entries (y, z, nyz) in order to manage the number of the preimages of z under the function fy (x). These two tables are commonly used for the algorithms FwOBw and BwOBw . R R As for the first difficulty described at the beginning of this section, the knowledge of the number nyz in the table Lyz enables the algorithm FwOBw to uniformly output one of R the preimages of queried value z under the function fy (x), i.e., return one of them with probability n1yz . As for the second difficulty, the knowledge of the number of nyz also enables the algorithm FwOBw R to behave like the forward oracle considering the dependence of each entry stemmed from some leakage through nyz . In order to verify how this idea works well, let us consider the extreme case again. Let z = f (x, y) for some (x, y) ∈ X × Y and nyz be the number of preimages of z under the function fy (x) = f (x, y). If nyz = 1, then for all x ∈ X such that x  x, the value F wO f (x , y) does not match z. Therefore,

when we query the hash value of (x , y), the algorithm FwOBw R (x , y) uniformly outputs



z ∈ Z such that z  z. Then, by using the following proposition, we can analyze the algorithms FwOBw and R BwOBw , and obtain the following theorem. R

240

A. Numayama and K. Tanaka

Proposition 1 ([7]). There is a polynomial-time machine BN such that the distribution BN (N, p) output by the algorithm BN is statistically close to the binomial distribution Bn(N, p), where N is a positive integer and 0 ≤ p ≤ 1. Remark 2. In order to simplify the analysis of the algorithms, we ignore the above statistical distance. The statistical distances in Theorems 1 and 2 all arise from the above one. Theorem 1. We can simulate the forward oracle and the backward oracle in the restricted model of weak ideal compression functions where the bridging oracle is not available. Formally, the distribution on the outputs of the forward oracle and the backward oracle is statistically close to the distribution on the outputs of the algorithms FwOBw and BwOBw in the restricted model of weak ideal compression functions where R R the bridging oracle is not available. Proof. In this restricted case, for each y ∈ Y the function fy (x) = f (x, y) is independent from each other, and therefore we can apply the similar simulation methods of the random oracle and the first-preimage oracle as in the first-preimage random oracle model [14].

We note that if we replace the role of the bridging oracle and the backward oracle, then in the same way we can obtain the algorithms FwOBr and BrOBr that simulate the R R forward oracle and the bridging oracle respectively in the restricted model of weak ideal compression functions where the backward oracle is not available. Remark 3. There are three tables T, Lyz , and L xz which are used in the four algorithms FwOBw , BwOBw , FwOBr , and BrOBr . Here, we mention which algorithm manages which R R R R

table. It is helpful to keep this in mind in order to understand the simulation methods in the (full) model of weak ideal compression functions. All the algorithms manage the table T on the fly. Furthermore, the former two algorithms FwOBw and BwOBw also manages the table Lyz , whereas the latter two algorithms R R Br FwOR and BrOBr also manage the table L xz . R

4 Our Simulation Methods (Full Version) Now, we consider the simulation method of three oracles in the (full) model of weak ideal compression functions. Given (y, z), in order to simulate the backward oracle, we need the number nyz of preimages of z under the function fy (x) = f (x, y). Similarly, given (x, z), in order to simulate the bridging oracle, we need the number n xz of preimages of z under the function f x (y) = f (x, y). Therefore, in the (full) model of weak ideal compression functions, in order to simulate at once both the backward oracle and the bridging oracle, we have to manage the numbers nyz and n xz simultaneously. In this time, we manage the three tables T , L xz , and Lyz . The table T has entries (x, y, z) in order to manage the correspondence of z = f (x, y). On the other hand, the table L xz (and Lyz , respectively) has entries (x, z, n xz) (and (y, z, nyz), respectively) in order to manage the number of the preimages of z under the function f x (y) = f (x, y) (and fy (x) = f (x, y), respectively).

On the Weak Ideal Compression Functions

241

4.1 Naive But Faulty Idea We give a naive but faulty idea for the simulation of the forward oracle, and show that this idea does not work well. The naive idea is to determine the value z = f (x, y), if and only if the value f (x, y) is queried as the simulation method in the restricted model of weak ideal compression functions. Let us examine the simulation of the forward oracle according to the naive idea in the case that the hash values of (xi , y j ), (xk , yl ), and (xk , y j ) are queried in this order. First, the hash value of (xi , y j ) is queried. Then, we pick zi j ← Z uniformly, and insert (xi , y j , zi j ) in T. Furthermore, we also determine the numbers n xz and nyz of preimages of z under the functions f xi (y) and fy j (x) respectively, and insert (xi , zi j , n xz ) in L xz and insert (y j , zi j , nyz ) in Lyz . Here, we note that the number n xz has an effect on the elements of xi row which are not yet determined, i.e., these elements are not uniformly distributed in Z. Similarly, the number of nyz has an effect on the elements of y j ’s column which are not yet determined. These effects are described by the gray color in Table 2. Next, the hash value of (xk , yl ) is queried. We have to determine the hash value f (xk , yl ) as zkl . In this time, zkl is not the gray colored element in Table 2, and hence zkl is independent from the other entries (i.e., zkl is distributed uniformly in Z). Then, we can pick zkl ← Z uniformly, and insert (xk , yl , zkl ) in T. Furthermore, we also determine the numbers n xz and n yz of preimages of zkl under the functions f xk (y) and fyl (x) respectively, and insert (xk , zkl , n xz ) in L xz and insert (yl , zkl , n yz ) in Lyz . Then, the numbers n xz and n yz have an effect on the elements of xk ’s row and yl ’s column, respectively (Table 3). Finally, the value of f (xk , y j ) is queried. We have to determine the hash value f (xk , y j ) as zk j . In this time, zk j is the gray colored elements in Table 3, and hence zkl is not independent from the other entries. More properly, for (xk , zkl , n xz ) ∈ L xz and (y j , zi j , nyz) ∈ Lyz , zk j is subject to the effects of n xz and nyz . Now, let us consider the extreme case where zi j = zkl = z, n xz = 1, and nyz = #Y. Then, zk j must not be equal to z by the effect of n xz , whereas zk j must be equal to z by the effect of nyz . These two conditions cannot be satisfied at the same time, and we cannot determine zk j according to this naive idea. 4.2 Problem of Hoch and Shamir’s Simulation Method Hoch and Shamir [5] proposed an answer to the problem of Liskov’s simulation method, and proposed the simulation method in the model of weak ideal compression functions. In this section, we show some problem of their simulation method in a certain situation. Table 2.

yj ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗ ∗∗∗∗∗∗∗

Table 3.

yj ∗ ∗ ∗ ∗ xk ∗ ∗ ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

Table 4.

yj ∗ ∗ ∗ ∗ xk ∗ zk j ∗ ∗ x i ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

242

A. Numayama and K. Tanaka

Let f : {0, 1}n × {0, 1}m → {0, 1}n be the underlying compression function. In the case that m is sufficiently larger than n, their simulation method is as follows. In order to overcome the problem of Liskov’s simulation method, they managed the number of preimages according to the Poisson distribution. They managed the number nyz of preimages of z under the function fy (x) = f (x, y) in order to simulate the backward oracle, and took nyz into account in the simulation. On the other hand, they did not manage the number n xz of preimages of z under the function f x (y) = f (x, y) in order to simulate the bridging oracle, and they always output new y when we query the preimage of (x, z). This is because there are expected to be a few possible answers to the (y, z) query, and it is required to take care of it in order to simulate the backward oracle. In contrast, in the case that m is sufficiently larger than n, there are expected to be a large number of possible answers to the (x, z) query, and even if we always output new y, it does not seem to cause much deviation from the distribution on the outputs of the bridging oracle. In the case that m is not sufficiently larger than n, we also need to take care of the number n xz of preimages z under the function f x (y) = f (x, y), since there are expected to be a few possible answers to the (x, z) query. Hoch and Shamir [5] noted, in this case, the same special treatment as in simulation of the backward oracle can be given to the bridging oracle. However, in [5], they did not mention the above problem described in the naive idea caused by managing both the numbers of the preimages of z under the functions f x (y) and fy (x). Therefore, the simulation method of Hoch and Shamir can suffer from the same problem as in the naive idea. 4.3 Solution for the Problem of Hoch and Shamir’s Simulation Method In this section, we propose the solution to overcome the problem in the naive idea. We define the notion which plays an important role in our simulation method. Definition 2. For the tables T, L xz, and Lyz , we call as the crossed elements the elements in the table of the hash values zi j = f (xi , y j ) such that they are in the gray colored row and the gray colored column at once. That is, the elements (x, y) are crossed elements if and only if there are (x, z, n) ∈ L xz and (y, z , n ) ∈ Lyz for some z, z , n, and n . The problem in the naive idea appears when it comes to decide the value of crossed elements. That is, we have to take into account at once both the effects of n xz under the function f x (y) (gray colored x’s row) and the effects of nyz under the function fy (x) (gray colored y’s column). In order to simulate the three oracles, we have to overcome this problem, i.e., the dependence of two functions f x (y) and fy (x). In the previous case, the problem is that there is a dependence of the functions f xk (y) and fy j (x) at the time when we need to determine the value zk j of crossed element. Therefore, in order to overcome the dependence of the two functions it will be good idea to determine the value zk j in advance of the appearance of this dependence. Let us carefully observe when the dependence of two functions f xk (y) and fy j (x) appear in the same situation where the values of (xi , y j ), (xk , yl ), and (xk , y j ) are queried in this order. Just after the first query (xi , y j ), there is only fy j (x) which affects the value

On the Weak Ideal Compression Functions

243

Table 5.

1. 2. 3. 4. 5.

Naive idea zkl n xz n yz

Our idea zkl zk j n xz zil n yz

Procedure at the second query (xk , yl ) 1. Uniformly pick zkl ← Z. 2. Choose zk j according to the function fy j (x). 3. Determine the number of the preimage of zk j and zkl under the function f xk (y). 4. Choose zil according to the f xi (y). 5. Determine the number of the preimage of zkl and zil under the function fyl (x). Procedure 1.

zk j = f (xk , y j ) through nyz . When the second query f (xk , yl ) is made, we determine the value zkl = f (xk , yl ) and n xz and n yz . Here, n xz affects the function f xk (y). Now, the dependence of two functions f xk (y) and fy j (x) appear at the second query (xk , yl ). In order to determine the value zk j before this dependence caused through nyz and n xz appears, we should decide zk j in advance of the decision of n xz at the second query. Here, we note for the value zil , the same idea should be applied to the case that the value f (xi , yl ) is queried. Therefore, the procedure at the second query is modified as follows. In contrast to the naive idea where we determine the values zkl , n xz , and n yz in this order, we additionally decide the values zk j and zil in the following order, zkl , zk j , n xz , zil , and then n yz . See Table 5 for comparison. We can apply this idea and obtain the more precise procedure described as follows (Procedure 1). In Step 1, zkl is an independent entry, and we can determine the hash value of (xk , yl ) uniformly at random. In Step 2, zk j is only dependent on the y j ’s column, and we can determine the hash value of (xk , y j ) according to the function fy j (x). In Step 3, zk j and zkl are only dependent on the xk ’s row, and we can determine the number of preimages according to the function f xk (y). In Step 4, zil is only dependent on the xi ’s row, and we can determine the hash value of (xi , yl ) according to the function f xi (y). In Step 5, zkl and zil are only dependent on the yl ’s column, and we can determine the number of preimages according to the function fyl (x). We can check the dependence of the elements at each step in the procedure as described in Tables 6-11. Table 6 corresponds to the beginning of Step 1, and Table 10 describes the dependence after the procedure. In Tables 6-11, dark gray colored elements are subject to the effects of the number of preimages, whereas light gray colored elements are not, like the other elements. For example, in Table 6, the hash value of (xk , y j ) (and (xi , yl ), respectively) is decided according to the fy j (x) (and ( f xi (y)), respectively), and the hash value of (xk , yl ) is uniformly distributed in Z.

244

A. Numayama and K. Tanaka Table 6.

yj ∗ ∗ ∗ ∗ xk ∗ + ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

∗ ∗ ∗ ∗ ∗ ∗ ∗

yl ∗ ∗ + ∗ + ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

Table 7.

yj ∗ ∗ ∗ ∗ xk ∗ + ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

Table 9.

yj ∗ ∗ ∗ ∗ xk ∗ zk j ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ + ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ + ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

Table 8.

yj ∗ ∗ ∗ ∗ xk ∗ zk j ∗ ∗ x i ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ zil ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

Table 11.

Table 10.

yj ∗ ∗ ∗ ∗ xk ∗ zk j ∗ ∗ xi ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ + ∗ ∗ ∗ ∗

yj ∗ ∗ ∗ ∗ xk ∗ zk j ∗ ∗ x i ∗ zi j ∗ ∗ ∗ ∗

yl ∗ ∗ ∗ ∗ ∗ zkl ∗ ∗ ∗ zil ∗ ∗ ∗ ∗

∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗ ∗∗∗∗∗

This procedure at the second query (xk , yl ) is easily extended to the subsequent forward oracle queries. That is, in the simulation of the forward oracle, when queried the hash value of (x, y), we also decide the hash value of the elements which will become crossed elements in advance of deciding the number of preimages of z = f (x, y). Then, we can obtain the algorithm FwO which simulates the forward oracle by applying the above idea. By applying the same idea of keeping the every crossed element determined, we can also obtain the algorithms BwO and BrO which simulate the backward oracle and the bridging oracle, respectively. We give the concrete algorithms FwO, BwO, and BrO in the full version of this paper. Remark 4. These three algorithms are designed according to the idea described above. Therefore, if every crossed element are determined at the beginning of each invocation of these algorithms, then every crossed element are determined at the end of the invocation. That is, these algorithms run maintaining all the crossed elements determined. We can obtain the following theorem. The proof is given in the full version of this paper. Theorem 2. We can simulate the forward oracle, the backward oracle, and the bridging oracle in the (full) model of weak ideal compression functions. Formally, the distribution on the outputs of the forward oracle, the backward oracle, and the bridging oracle is statistically close to the distribution on the outputs of the algorithms FwO, BwO, and BrO in the (full) model of weak ideal compression functions.

On the Weak Ideal Compression Functions

245

5 An Application of Our Simulation Method to the Proofs of the Indifferentiability In this section, we apply the simulation method in Section 4 to the proofs of the indifferentiability in [10,5]. In particular, we modify the proof of [5] by applying our simulation method instead of theirs. Let F and G are iterated hash functions based on the compression functions f and g, respectively. Hoch and Shamir [5] showed that the XORed hash construction C(M) = F(M) ⊕ G(M) where both the underlying compression functions of F and G are iterated, is indifferentiable from the random oracle in the model of weak ideal compression functions. In order to overcome the problem of the simulator in [5] described in Section 4, we apply the simulation method in Section 4 and obtain the following theorem. Theorem 3. Let C be the XORed hash construction C(M) = F(M) ⊕ G(M), where F and G are iterated hash functions based on the compression functions f and g, respectively. Then, the XORed hash construction C is indifferentiable from the random oracle in the model of weak ideal compression functions. More formally, it is stated as follows. Let f and g are the compression functions such that f, g :{0, 1}n × {0, 1}m → {0, 1}n . Let Γ be an oracle encapsulating the forward oracles, the backward oracles, and the bridging oracles for the compression functions f and g. Then, there is a simulator S such that for every distinguisher D which uses at most q oracle queries, the following holds, where α = min(m, n).   4 Pr[DCΓ ,Γ = 1] − Pr[DROh ,S ROh = 1]  O( q ).   2α In order to prove Theorem 3, we construct a simulator S which simulates Γ in polynomial time. We note that the simulator S must keep consistency with both Γ itself and the random oracle. The simulator S uses the idea of our simulation method in Section 4 for the consistency with Γ, and uses the idea of Hoch and Shamir [5] for the consistency with the random oracle. In the full version of this paper, we show our main lemma which is useful for the security proof of indifferentiability in the model of weak ideal compression functions. Then, by using this lemma, we formally prove Theorem 3.

6 Conclusion First, we have pointed out that the previous proofs of indifferentiability [10,5] can have some problems in certain situations. Then, we have formalized these situations and proposed the simulation method for the forward oracle, the backward oracle, and the bridging oracle in the model of weak ideal compression functions. By applying our simulation method to the previous proofs, we can also prove the indifferentiability in the situations where the original proofs does not cover. In particular, we have applied our simulation method to the proof of indifferentiability [5]. In [5], Hoch and Shamir proved that the XORed hash construction C(M) =

246

A. Numayama and K. Tanaka

F(M) ⊕G(M) is indifferentiable from the random oracle in the case that m is sufficiently larger than n, where the underlying compression functions are f, g : {0, 1}n × {0, 1}m → {0, 1}n . Then, they derived a lower bound such that even in a powerful attack scenario where the attacker can find not only collisions but also first-preimages in all the compression functions in unit time, it required O(2n/2 ) time to find a collision in the concatenated hash construction H(M) = F(M)  G(M). In contrast, we have proved the indifferentiability even in the case that m is not sufficiently larger than n, and derived a lower bound such that in the same attack scenario it requires O(2m/4 ) or O(2n/4 ) time to find a collision in the concatenated hash construction in the case that m is not sufficiently larger than n.

References 1. Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990) 2. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: How to construct a hash function. In: Shoup [16], pp. 430–448 3. Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005) 4. Damgård, I.: A design principle for hash functions. In: Brassard [1], pp. 416–427 5. Hoch, J.J., Shamir, A.: On the strength of the concatenated hash combiner when all the hash functions are weak. In: Aceto, L., Damgård, I., Goldberg, L.A., Halld´orsson, M.M., Ing´olfsd´ottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 616–630. Springer, Heidelberg (2008) 6. Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) 7. Kawachi, A., Numayama, A., Tanaka, K., Xagawa, K.: Approximation sampling and its application to security proofs in cryptography. In: Symposium on Cryptography and Information Security, pp. 3D1–1 (2009) 8. Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006) 9. Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer [3], pp. 474–490 10. Liskov, M.: Constructing an ideal hash function from weak ideal compression functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007) 11. Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004) 12. Merkle, R.C.: One way hash functions and des. In: Brassard [1], pp. 428–446 13. National Institute of Standards and Technology. Secure hash standard. FIPS 180-2 (August 2002) 14. Numayama, A., Isshiki, T., Tanaka, K.: Security of digital signature schemes in weakened random oracle models. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 268–287. Springer, Heidelberg (2008) 15. Rivest, R.L.: The MD5 message-digest algorithm. Internet Request for Comments, RFC 1321 (April 1992) 16. Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005) 17. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup [16], pp. 17–36 18. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [3], pp. 19–35

On the Weak Ideal Compression Functions

247

A Our Simulation Algorithms (Restricted Version) First, we consider how the algorithm FwOBw runs on input ( xˆ, yˆ ) in the details. If the R hash value of ( xˆ, yˆ ) is already determined, then the algorithm FwOBw returns it. OtherR wise, there are two situations depending on whether the algorithm FwOBw R returns old z which already appears in the table T or the algorithm FwOBw returns new z which R does not yet appear in the table T. There are (#X − #T(ˆy)) elements whose hash values  are not yet determined, and among them there are (ˆy,˜z,˜nyz )∈Lyz (˜nyz − #T(ˆy, z˜)) elements whose hash values are expected to be old z. Therefore, the algorithm FwOBw returns old R z or new z with this ratio. In case of old z, the algorithm FwOBw picks old z according R to the number of the preimages of each old z. In case of new z, the algorithm FwOBw R picks new z uniformly at random, and defines the number of preimages of z. The whole algorithm is described in Algorithm 2.

Algorithm FwOBw ( xˆ, yˆ ) R 1. If ( xˆ, yˆ , z) ∈ T for some z, then return z. 2. Let p(ˆy) be the following probability,  p(ˆy) =

nyz (ˆy,˜z,˜nyz )∈Lyz (˜

− #T(ˆy, z˜))

#X − #T(ˆy)

.

3. With probability p(ˆy), return old z as Steps (a)-(b). (a) pick z ← D according to the following distribution. nyz − #T(ˆy, z) for (ˆy, z, nyz ) ∈ Lyz . nyz − #T(ˆy, z˜)) (ˆy,˜z,˜nz )∈Lyz (˜

fD (z) = 

(b) insert ( xˆ, yˆ, z) in T and return z. 4. With probability 1 − p(ˆy), return new z as Steps (a)-(d).  (a) pick z ← Z \ (ˆy,˜z,˜nyz )∈Lyz {˜z}.  1 (b) n yz ← BN (#X − (ˆy,˜z,˜nyz )∈Lyz n˜ yz − 1, #Z−#L y) ). yz (ˆ

(c) nyz ← nyz + 1. (d) insert (ˆy, z, nyz) in Lyz , insert ( xˆ, yˆ, z) in T, and return z. Algorithm 2. Simulation method of the forward oracle (Restricted Version)

Second, we review how the algorithm BwOBw runs on input (ˆy, zˆ) in the details. R If zˆ is not yet determined (i.e., the number nyz of preimages of zˆ under the function fyˆ (x) = f (x, yˆ ) is not determined either), then the algorithm BwOBw first defines the R number nyz of preimages of zˆ. If nyz = 0, which implies that there is no preimage of zˆ, then the algorithm BwOBw returns ⊥. Otherwise, there are two situations depending R on whether the algorithm BwOBw returns new x which does not yet appear in the table R T or the algorithm BwOBw returns old x which already appears in the table T. There R

248

A. Numayama and K. Tanaka

are nyz elements whose hash values are expected to be zˆ under the function fyˆ (x) = f (x, yˆ ), and among them there are #T(ˆy, zˆ) elements which already appear in the table T. Therefore, the algorithm BwOBw returns old x or new x with this ratio. In case of R old x, the algorithm BwOBw picks old x according to both the current table T and the R number of the preimages of each old z defined in the table Lyz . In case of new x, the algorithm BwOBw R picks new x uniformly at random. The whole algorithm is described in Algorithm 3. Algorithm BwOBw (ˆy, zˆ) R  1 1. If (ˆy, zˆ, nyz )  Lyz for any nyz , then pick nyz ← BN (#X − (ˆy,˜z,˜nyz )∈Lyz n˜ yz , #Z−#L y) ), yz (ˆ and insert (ˆy, zˆ, nyz ) in Lyz . 2. If nyz = 0 for (ˆy, zˆ, nyz ) ∈ Lyz , then return ⊥. y,ˆz) 3. If nyz  0 for (ˆy, zˆ, nyz ) ∈ Lyz , then compute the probability q = #T(ˆ nyz . 4. With probability q return old x. (a) pick one entry uniformly from T such that ( x˜, yˆ , zˆ) ∈ T, and return x˜. 5. Otherwise return new x. (a) pick uniformly x ← X such that (x, yˆ , z˜)  T. (b) insert (x, yˆ, zˆ) in T, and return x. Algorithm 3. Simulation method of the backward oracle (Restricted Version)

Hardening the Network from the Friend Within L. Jean Camp School of Informatics, Indiana University [email protected]

Abstract. The insider threat in the networked world is distinct from the insider threat in the traditional physical business realm in that the most dangerous networked insider may be the least intentionally malicious. This inadvertent enemy within enables access by malicious outsiders through technologically nave or risk-seeking behavior. These behaviors include consistent choices (e.g., permission configurations, monotonically increasing access control rights) and specific behaviors (e.g., opening email attachments, clicking on video links). The risks of these actions are invisible to the individual, and the risks are borne at least in part by the organization. Any change in this insider behavior must include incentives for risk-avoidance, risk communication, and enable risk-mitigating choices. By developing incentive mechanisms and interactions that communicate these incentives, the risk behavior of the authorized insider can be aligned with the risk posture of the organization. We have combined game theory for incentive design, risk parameterization for pricing, and risk communication to create risk-based access control. The presentation will include the game formulation, presentation of the mechanism for pricing behaviors, and the remarkable results of initial human subjects experimentation.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, p. 249, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Reducing the Complexity in the Distributed Computation of Private RSA Keys Peter Lory University of Regensburg, D-93040 Regensburg, Germany [email protected] http://www.wiwi.uni-regensburg.de/lory/

Abstract. Catalano, Gennaro and Halevi (2000) present a protocol for the distributed computation of inverses over a shared secret modulus. The most important application of their protocol is the distributed computation of the private RSA key from the public key. The protocol is attractive, because it requires only two rounds of communication in the case of honest but curious players. The present paper gives a modification of this protocol, which reduces its complexity from O(n3 (log n)2 + n2 (log n)(log N ) + (log N )2 ) to O(n3 log n + n2 log N + (log N )2 ) bit-operations per player, where n is the number of players and N is the RSA modulus. The number of communication rounds is the same as in the original protocol.

1 Introduction Secure distributed computation is attractive, because it avoids the problem of a single point of failure. Such an entity would have full control of the system. If it is dishonest, it could misuse this power. Additionally, its server would be an attractive target for malicious adversaries and has to be protected with high costs. The last two decades have seen an exciting development of techniques for secure multiparty computations. Classical theoretical results [1,4,9,17] show that any multiparty computation can be performed securely, if the number of corrupted participants does not exceed certain bounds. However already Gennaro, Rabin and Rabin [8] point out, that these generic secure circuit techniques are too inefficient in the area of practical feasibility, which might render them impractical. Thus, it is a high priority to optimize such techniques. Catalano, Gennaro and Halevi [3] have presented a distributed inversion protocol, which requires only two rounds of communication. The most interesting application is the distributed computation of the shares of the private RSA exponent d from the public exponent e, if the shares of Euler’s phi-funktion ϕ(N ) of an RSA modulus N are given (see Rivest, Shamir and Adleman [14]). This has several applications, among which the construction of threshold variants of signature schemes (for a survey see [3]). The protocol in [3] requires O(n3 (log n)2 + n2 (log n)(log N ) + (log N )2 ) bit-operations per player, where n is the number of players and N is the RSA modulus. The present paper reduces this complexity to O(n3 log n + n2 log N + (log N )2 ). The suggested modified protocol needs also only two rounds of communication. This success is made possible by a loan from the field of numerical analysis, namely by the application of Newton’s Methodus Differentialis. C. Boyd and J. Gonz´alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 250–263, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Reducing the Complexity in the Distributed Computation of Private RSA Keys

251

A network of n players is assumed, that are connected by point-to-point private channels and by a broadcast channel. Failures are modeled by an adversary A, who can corrupt at most t of the players in the “honest-but-curious” sense. This means, that the adversary A can just read the memories of the corrupted players but not modify their behaviour. The protocol is secure, i.e. correct and private. Correctness means that the output values constitute a (t + 1)-out-of-n secret sharing of the inverse. Privacy is defined using the usual simulation approach (see Section 4). For the investigation of the time complexities two basic assumptions are made: a) The addition or subtraction of two k-bit-integers requires (ρadd · k) bit-operations and consequently its bit-complexity is O(k). b) The multiplication of a k-bit-integer and an l-bit-integer requires (ρmult · k · l) bitoperations and its bit-complexity is O(kl). This is a reasonable estimate for realistic values. The concrete values for ρadd and ρmult are implementation dependent (see e.g. Knuth [11]). The protocol of Catalano, Gennaro and Halevi refers to polynomial sharing over the integers on the basis of Shamir’s seminal (t + 1)-out-of-n threshold scheme [15]. The latter operates in the field Zq with a prime q . Polynomial sharing over Z gives rise to some technical problems. These are discussed in detail in Catalano [2] . One of the tricks to overcome these problems is the multiplication of the arising equations by L := n!. This trick guarantees that the coefficients of the arising polynomials are integers instead of fractions. The paper is organized as follows: Section 2 presents the protocol of Catalano, Gennaro and Halevi [3] for the reader’s convenience and investigates its complexity. Section 3 gives basic material on Newton’s scheme of divided differences for reference in Section 4. In this section the new protocol is presented. Section 5 investigates the complexity of the new protocol. Final remarks are given Section 6.

2 The Inversion Protocol of Catalano, Gennaro and Halevi Catalano, Gennaro and Halevi [3] have presented an efficient protocol to accomplish the distributed computation of an inverse of a publicly known number e over a shared modulus (see also Catalano [2]). For the reader’s convenience the protocol is repeated in Figure 1. Here, L := n!, where n is the number of players. In Round 1 of this protocol player Pi chooses integer coefficients of the polynomials gi (z), hi (z) and ρi (z). Then this player has to evaluate these polynomials at the abscissas z = j = 1, 2, . . . , n. The polynomial gi (z) is of degree at most t. Its evaluation at z = j by Horner’s scheme gi (j) = (. . . ((bi,t j + bi,t−1 )j + bi,t−2 )j + . . . bi,1 )j + Lλi

(1)

requires t multiplications and t additions. Please note, that the protocol employs polynomial sharing over Z . For the first multiplication the operands are integers of at most k1 bits with k1 = log(L2 N 3 ) ≈ log(L2 N 3 ) and of at most log n ≈ log n bits,

252

P. Lory

Public input: Prime number e with e > n, an appoximate bound N on ϕ. Private inputs: Sharing of Lϕ using a polynomial f of degree at most t over the integers. Player Pi has private input fi = f (i), where f (z) = Lϕ + a1 z + . . . + at z t and aj ∈ [−L2 N, L2 N ] for j = 1, . . . , t . Round 1: Each player Pi does the following: 1. Choose λi ∈R [0, N 2 ] and bi,1 , . . . , bi,t ∈R [−L2 N 3 , L2 N 3 ] . Choose ri ∈R [0, N 3 ] and ci,1 , . . . , ci,t ∈R [−L2 N 4 , L2 N 4 ] . Choose ρi,1 , . . . , ρi,2t ∈R [−L2 N 5 , L2 N 5 ] . 2. Set gi (z) = Lλi + bi,1 z + . . . + bi,t z t , hi (z) = Lri + ci,1 z + . . . + ci,t z t , ρi (z) = 0 + ρi,1 z + . . . + ρi,2t z 2t . 3. Send to each player Pj the values gi (j), hi (j), ρi (j), computed over the integers. Round 2: Each player Pj does the following: 1. Set gj =

n 

gi (j) , hj =

i=1

n 

hi (j) , ρj =

i=1

n 

ρi (j) .

i=1

(These are Pj ’s shares of the polynomials g(z) =

n 

gi (z) , h(z) =

i=1

n  i=1

hi (z) , ρ(z) =

n 

ρi (z) .)

i=1

2. Broadcast the value Fj = fj gj + ehj + ρj . Output: Each player Pi does the following: 1. From the broadcast values interpolate the 2t-degree polynomial F (z) = f (z)g(z) + e · h(z) + ρ(z) . 2. Using the GCD algorithm, find integers a and b such that aF (0) + be = 1. If no such integers a and b exist, go to Round 1. 3. The inverse of e is d = ah(0) + b . Privately output the share of the inverse, di = ah(i) + b . Fig. 1. The inversion protocol of Catalano, Gennaro and Halevi

respectively. Here, the symbol a denotes the smallest integer b with b ≥ a . In the following, this sign will be suppressed for readability reasons. The result of this multiplication has k1 + log n bits. The following addition adds a k1 -bit-number to this result and delivers an integer of at most k1 + log n + 1 bits. The next multiplication multiplies this number with a log n-bit-number. Its result has k1 + 2 log n + 1 bits etc. Consequently, the n evaluations of the polynomial gi (z) require at most

Reducing the Complexity in the Distributed Computation of Private RSA Keys

253

  t(t − 1) nρmult tk1 log n + (log n)(log n + 1) + 2   t(t + 1) t(t − 1) nρadd tk1 + log n + 2 2 bit-operations, where k1 = log(L2 N 3 ) .

(2)

Similarly, the n evaluations of the polynomials hi (z) and ρi (z) require at most   t(t − 1) nρmult tk2 log n + (log n)(log n + 1) + 2   t(t + 1) t(t − 1) nρadd tk2 + log n + 2 2 and nρmult [2tk3 log n + t(2t − 1)(log n)(log n + 1)] + nρadd [(2t − 1)k3 + t(2t − 1) log n + (2t − 1)(t − 1)] bit-operations, respectively, where k2 = log(L2 N 4 )

(3)

k3 = log(L2 N 5 ) .

(4)

and Please note that the multiplication L · λi requires O(log L · log N 2 ) bit-operations. This is small in comparison to O(n2 log(L2 N 3 ) . A similar comment applies to the product Lri . So, the following theorem is proven: Theorem 1. Round 1 of the inversion protocol of Figure 1 requires O(n2 k1 log n + n2 k2 log n + n2 k3 log n + n3 (log n)2 ) bit-operations per player, where k1 , k2 and k3 are given in Equations (2) – (4).

3 Newton’s Scheme of Divided Differences Interesting historical remarks on Newton’s interpolation formula and on the concept of divided differences can be found in the book of Hairer and Wanner [10]. For later reference, the basic facts following the notation in Stoer and Bulirsch [16] are presented here. Let the support abscissas xi and corresponding support ordinates fi (0 ≤ i ≤ m) be given. The divided differences are defined recursively by def

fi0 ,i1 ,...,il =

fi1 ,i2 ,...,il − fi0 ,i1 ,...,il−1 xil − xi0

(5)

and can be arranged in the divided-difference scheme (see Figure 2). The most convenient way of computation is to start with the upper left corner and add successive ascending diagonal rows.

254

P. Lory l=0 l=1 x0

f0

x1

f1

l=2

...

l=m

f0,1 f0,1,2 ..

f1,2 x2

f2 .. .

.. .

.

.. .

f0,1,2,...,m . ..

.. .

fm−2,m−1,m fm−1,m

xm fm Fig. 2. Newton’s divided-difference scheme

4 The New Inversion Protocol In Round 1 of the protocol of Catalano, Gennaro and Halevi [3] (see Figure 1) each player Pi randomly chooses the coefficients of the polynomials gi(z), hi (z) and ρi(z) of degree at most t and 2t, respectively, and then has to evaluate these polynomials at n different points. This can be done more efficiently by using Newton’s scheme of divided differences. Let us have a closer look at the polynomial gi (z) = Lλi + bi,1 z + . . . + bi,t−1 z t−1 + bi,t z t . The present paper suggests that instead of choosing the coefficients bi,1 , . . . , bi,t , each of the players Pi randomly picks t support ordinates gi (1), gi (2), . . . gi (t) for the t abscissas z = 1, z = 2, . . . , z = t . This data and the condition gi (0) = Lλi implicitly define the unique interpolation poynomial gi (z) of degree at most t. Then player Pi has to evaluate this polynomial for z = t + 1, . . . , z = n . Using Newton’s scheme of divided differences these computations can be accomplished very efficiently. The basic idea can be applied in other contexts of polynomial sharing, too (cf. the multiparty multiplication of two shared values over Zq with a prime q in [12]). The details are given in Figure 3 with g0 = gi (0), g1 = gi (1), . . . , gn = gi (n). For readability reasons the index i is omitted. A few remarks are in place: 1. The zeros in the columns l = t+1, t+2, . . . , n of Figure 3 are not computed. Instead, they are prescribed and force the interpolating polynomial to be of degree at most t. 2. The first t + 1 ascending diagonal rows are computed from left to right starting at the prescribed support ordinate g0 = gi (0) = Lλi and the randomly chosen support ordinates g1 = gi (1), . . . , gt = gi (t). The following diagonal rows are computed from right to left starting at the prescribed zeros and ending with the function values gt+1 = gi (t + 1), . . . , gn = gi (n) .

Reducing the Complexity in the Distributed Computation of Private RSA Keys l=0 l=1 0

g0

1

g1

l=2

...

l=t

255

l = t + 1 ... l = n

g0,1 2! · g0,1,2 ..

g1,2 2

g2 .. .

.. .

.. .

2! · gt−2,t−1,t .

.. .

.. . .. .

.. .

..

.

.. .

..

.. .

gt,t+1 t + 1 gt+1

0 t! · g1,2,...,t+1

2! · gt−1,t,t+1

gt

.. .

t! · g0,1,...,t . ..

gt−1,t t

.

.. .

0 .

..

0 t! · gn−t,n−t+1,...,n

. .. 2! · gn−2,n−1,n

gn−1,n n

gn

Fig. 3. Newton’s divided-difference scheme for the new inversion protocol

3. Instead of calculating the divided differences as defined in Equation (5), the numbers gi0 ,i1 ,...,il · (xil − xi0 ) = gi1 ,i2 ,...,il − gi0 ,i1 ,...,il−1 .

(6)

are computed. This modification is the reason for the factors l! in column l of the scheme of Figure 3 and avoids superfluous arithmetic operations. The polynomials hi (z) and ρi (z) are treated in the same way. For reasons of consistency the definition of the polynomial f (z) for the polynomial sharing of Lϕ is also modified analogously: Whereas in the private inputs of the protocol of Figure 1 f (z) is defined by its coefficients, it is now implicitly given by its free term f (0) = Lϕ and by the function values f (1) = f1 , . . . , f (t) = ft . The new protocol is shown in Figure 4. Step 3 of Round 1 of this protocol is presented in Figure 5. A few comments to this subprotocol are in place: 1. Step (a) calculates the upper left corners in the divided-difference schemes for the two polynomials gi (z) and hi (z) . For gi (z) compare Figure 3. 2. Step (b) calculates the following t ascending diagonal rows from left to right in the divided-difference schemes for the two polynomials gi (z) and hi (z) . For gi (z) compare again Figure 3. 3. Step (c) calculates the following n − t ascending diagonal rows from right to left in the divided-difference schemes for the two polynomials gi (z) and hi (z) . For gi (z) compare again Figure 3.

256

P. Lory

Public input: Prime number e with e > n, an appoximate bound N on ϕ. Private inputs: Sharing of Lϕ using a polynomial f of degree at most t . Player Pi has private input f (i) . The polynomial f is defined as the unique polynomial of degree at most t with free term Lϕ and the function values f (j) = fj for j = 1, . . . , t, where the integers fj ∈ [−L2 N, L2 N ] . Round 1: Each player Pi does the following: 1. Choose an integer λi ∈R [0, N 2 ] and integer function values gi,1 , . . . , gi,t ∈R [−L2 N 3 , L2 N 3 ] . Choose an integer ri ∈R [0, N 3 ] and integer function values hi,1 , . . . , hi,t ∈R [−L2 N 4 , L2 N 4 ] . Choose integer function values ρi,1 , . . . , ρi,2t ∈R [−L6 N 5 , L6 N 5 ] . 2. The polynomial gi (z) of degree at most t is implicitly defined by its free term Lλi and gi (j) = gi,j for j = 1, . . . , t . The polynomial hi (z) of degree at most t is implicitly defined by its free term Lri and hi (j) = hi,j for j = 1, . . . , t . The polynomial ρi (z) of degree at most 2t is implicitly defined by its free term 0 and ρi (j) = ρi,j for j = 1, . . . , 2t . 3. Send to each player Pj the values gi (j), hi (j), ρi (j) for j = 1, 2, . . . , n . The function values gi (1), . . ., gi (t), hi (1), . . ., hi (t) and ρi (1), . . ., ρi (2t) are given; the remaining values are computed by the subprotocol of Figure 5. Round 2 and Output: These steps are identical to the corresponding steps in the inversion protocol of Figure 1. Fig. 4. The new inversion protocol

4. Step (d) calculates the upper left corner in the divided-difference scheme for the polynomial ρi (z) . 5. Step (e) calculates the following 2t ascending diagonal rows from left to right in the divided-difference scheme for the polynomial ρi (z) . 6. Step (f) calculates the following n − 2t ascending diagonal rows from right to left in the divided-difference scheme for the polynomial ρi (z) . It should be noted, that the polynomials f (z), gi (z), hi (z) and ρi (z) as implicitly defined above (and in the protocol) have integer function values for z = 0, . . . , z = n . Consider, for example, the polynomial gi (z) . The fact that gi (z) is an integer for z = 0, . . . , z = t is obvious. For z = t + 1, . . . , z = n it can be proven as follows: In the corresponding divided-difference scheme of Figure 3 the g0 , g1 , . . . , gt in column l = 0 are the chosen integers Lλi , gi,1 , . . . , gi,t . The entries in the tableau are computed by the recursion formula (6). All these computations involve only subtractions and additions of integers (cf. the subprotocol of Figure 5). Consequently, the gi(t+1), gi (t+2), . . . , gi (n) are integers as well. A modular inversion protocol is called correct if the output values d1 , . . . , dn constitute a (t + 1)-out-of-n secret sharing of d = e−1 mod ϕ. For the definition of privacy, the view of the adversary A is considered to be the set of messages sent and received by

Reducing the Complexity in the Distributed Computation of Private RSA Keys

257

Player Pi executes the following steps: (a) γ0 := Lλi , η0 := Lri . (b) For j = 1, 2, . . . , t : γj := gi,j , ηj := hi,j , for k = j − 1, j − 2, . . . , 0 : γk := γk+1 − γk , ηk := ηk+1 − ηk . (c) For j = t + 1, t + 2, . . . , n : for k = 0, 1, . . . , t − 1 : γk+1 := γk+1 + γk , ηk+1 := ηk+1 + ηk . gi (j) := γt , hi (j) := ηt . (d) σ0 := 0 . (e) For j = 1, 2, . . . , 2t : σj := ρi,j , for k = j − 1, j − 2, . . . , 0 : σk := σk+1 − σk . (f) For j = 2t + 1, 2t + 2, . . . , n : for k = 0, 1, . . . , 2t − 1 : σk+1 := σk+1 + σk . ρi (j) := σ2t . Fig. 5. Step 3 in Round 1 of the new inversion protocol

the bad players during a run of the protocol. The modular inversion protocol is called private if for any adversary A there exits a simulator S that runs an execution of the protocol together with A and produces for it a view that is √ indistinguishable from the real one. Please note that the assumption N − ϕ = O( N ) in the following theorem is true for the case we are interested in, where N is an RSA modulus and ϕ = ϕ(N ) . √ Theorem 2. Let N − ϕ = O( N ) . If all the players carry out the prescribed protocol and n > 2t, then the protocol of Figure 4 is secure, i.e. correct and private according to the above definitions. Proof: The following proof sketch modifies the corresponding proof in [2] (Theorem 4) and [3] (Theorem 1). Initial inputs. First it has to be proven that the players start from a (t + 1)-out-of-n secret sharing of the value ϕ. It is shown that t players have no information about ϕ by demonstrating that the distribution of t shares of the secret Lϕ with the polynomial f is statistically indistinguishable from the distribution of t shares that result from sharing the value LN via a polynomial fˆ . For this purpose it is proven that with very high probability there is a sharing of LN using a polynomial fˆ with integer function values in the same range as f such that fˆ(jk ) = f (jk ) for k = 1, 2, . . . , t, where j1 , . . . , jt with

258

P. Lory

1 ≤ j1 < j2 < . . . < jt ≤ n are the indices of t arbitrary shares. Thus, fˆ is defined as the unique polynomial of degree at most t with the free term LN and the function values fˆ(jk ) = f (jk ) for k = 1, 2, . . . , t . In the following it is shown that fˆ is in the legal range, i.e. the function values fˆ(1), . . . , fˆ(t) are integers and lie with very high probability in the range [−L2 N, L2 N ] . For this purpose the polynomial χ is defined as χ(z) := f (z) − fˆ(z) . This is a polynomial of degree at most t and obeys χ(0) = L(ϕ − N ) and χ(j1 ) = . . . = χ(jt ) = 0 . Consequently, t  z − jk χ(z) = L(ϕ − N ) −jk k=1

and χ(i) = L(ϕ − N )

t  jk − i for i = 1, . . . , t . jk

(7)

k=1

Since L = n! , the values above are integers. As fˆ(z) = f (z) − χ(z), the polynomial fˆ has free term LN and its function values fˆ(i) are integers. An elementary calculation shows that  t   j − i   k (8)   ≤ t! for i = 1, . . . , t .  jk  k=1

Because of Equations (7) and (8) the absolute values of χ(i) can be bounded by |χ(i)| ≤ |ϕ − N | · L · t! for i = 1, . . . , t . Consequently, the function values fˆ(1), . . . , fˆ(t) are in the range  √ √  −L2 N − κL2 N , L2 N + κL2 N and the probability that these function values are outside the legal range is bounded by √

2κL2 N t √ t ≤O √ 2(L2 N + κL2 N ) N which is negligible. Correctness. It is easy to see that the protocol computes the correct output. Since all players are honest, the interpolation at step 1 of the last round will give as the unique 2 polynomial F (z) a polynomial  with integer function values. Thus F (0) = L λϕ+LRe with λ = i λi and R = i ri is an integer and its GCD with respect to e can be computed. If e does not divide ϕ , the probability that GCD(e, F (0))  = 1 is roughly 1/e (i. e. the probability that e divides λ). Thus, it is unlikely that the protocol has to be repeated more than once. When aF (0) + be = 1 is obtained, it can be re-written as a(L2 λϕ + LRe) + be = 1 .

Reducing the Complexity in the Distributed Computation of Private RSA Keys

259

Taken mod ϕ the last equation becomes (aLR + b)e = 1 mod ϕ . This means that d = aLR + b = e−1 mod ϕ . Thus, the t-degree polynomial ah(z) + b interpolates to the correct value d and the shares di correctly lie on this polynomial. Simulation of the inversion protocol. The simulator controls the players Pjt+1 , . . . , Pjn . For these players it holds initial values fˆi , which result from a sharing of LN (instead of Lϕ as discussed above). For Round 1 the simulator simply follows the same instructions as the protocol. This ˆ ˆ = gˆ(0) and results in shared polynomials gˆ(z), h(z) and ρˆ(z) and shared values Lλ ˆ ˆ and R ˆ = h(0) ˆ follow the same distribution as λ and R . Moreover LR . Obviously λ notice that an argument very similar to the one used for the sharing of the initial values ˆ and R ˆ. shows that the adversary has no information about λ ˆ + ρˆ(i) During Round 2 the simulator publishes the values Fˆ (i) = fˆ(i)ˆ g(i) + eh(i) for i = jt+1 , . . . , jn . The function values fi are in the range [−L2 N, L2 N ] for i = 0, . . . , t . Because of the Lagrange interpolation formula f (j) =

t  i=0

fi

 j−k . i−k k=i k=0...t

An elementary calculation shows that        j − k   ≤ L for i = 0, . . . , t and j = t + 1, . . . , n .    k=i i − k  k=0...t

Thus |f (i)| and (using an analogous argument) also |fˆ(i)| are bounded by nL3 N for i = 1, . . . , n . Similarly it can be shown that |g(i)| and |ˆ g(i)| are bounded by n2 L3 N 3 . As a consequence the function values ρ(i) and ρˆ(i) for i = 1, . . . , n are much larger than the corresponding function values for f (z)g(z) and fˆ(z)ˆ g (z) . Thus both polynomials F (z) and Fˆ (z) follow a distribution which is statistically close to ρ(z), except for the free term. ˆ + LRe ˆ (while in the real The 2t-degree polynomial Fˆ (z) has the free term L2 λN 2 execution it interpolates to L λϕ + LRe). It is shown in Lemma 1 of [2] and [3] that the distributions of these two values are statistically close.



5 Complexity of the New Inversion Protocol In all the steps of the subprotocol of Figure 5 only additions and subtractions occur. Each of these operations may increase the bit-length by 1. Consequently, step (b) needs t(t + 1)/2 subtractions of two numbers with at most k1 + t bits and of two numbers with at most k2 + t bits, where k1 = log(L2 N 3 ) and k2 = log(L2 N 4 ) . Therefore, this step requires at most t(t + 1) ρadd (k1 + k2 + 2t) 2

260

P. Lory

bit-operations. The maximum bit-sizes in step (c) are k1 + t + n − 1 and k2 + t + n − 1, respectively. Consequently, this step requires at most (n − t)tρadd (k1 + k2 + 2t + 2n − 2) bit-operations. As above, n is the number of players and t is the threshold. Step (e) needs at most t(2t + 1)ρadd (k3 + 2t) bit-operations, where

k3 = log(L6 N 5 ) .

(9)

Finally, step (f) requires at most (n − 2t)2tρadd(k3 + 2t + n − 1) bit-operations. Taking into account that t < 2t + 1 ≤ n, the following theorem is proven: Theorem 3. Round 1 of the new inversion protocol of Figure 4 requires O(n2 k1 + n2 k2 + n2 k3 + n3 )

(10)

bit-operations per player, where k1 , k2 and k3 are given in Equations (2), (3) and (9). A comparison of the above result with Theorem 1 shows the reduction of the complexity. Please note that Equation (10) covers the worst case. In reality the bit sizes of the numbers γk , ηk and σk will both increase and decrease during steps (b), (c), (e) and (f) of Figure 5 and in the average case the bit-sizes will approximately remain constant. So in the average case the last term in Equation (10) may be neglected. In view of the complete protocol it remains to investigate the complexities of Round 2 and the Output, which are identical in the protocol of Figure 1 and in the new protocol of Figure 4. The complexity of Round 2 can be neglected. The computation of F (0) in step 1 of the Output in the protocols of Figures 1 and 4 can again be done efficiently using a scheme of divided differences similar to that of Figure 3. Now player Pi possesses the values F1 , F2 , . . . , F2t+1 and wants to compute F0 = F (0) . These values define the first column of the scheme. First the triangle with the base F1 , . . . , F2t+1 is successively computed building the 2t + 1 corresponding ascending diagonal rows from left to right starting at the prescribed support ordinates F1 , . . . , F2t+1 and ending with the values F1 , F1,2 , . . . , (2t)! · F1,2,...,2t+1 . Then the uppermost descending diagonal row including F0 = F (0) is computed from right to left starting at the prescribed 0 in column 2t + 1 and using the already computed values (2t)! · F1,2,...,2t+1 , . . . , F1,2 , F1 in this order. These ideas are the basis of the new algorithm given in Figure 6. Analogously to the arguments at the beginning of this section, it follows that the protocol of Figure 6 requires at most t(2t + 1)ρadd (k4 + 2t) + 2tρadd (k4 + 4t)

(11)

Reducing the Complexity in the Distributed Computation of Private RSA Keys

261

(a) For j = 1, 2, . . . , 2t + 1 : γj := Fj , for k = j − 1, j − 2, . . . , 1 : γk := γk+1 − γk , χj := γ1 . (b) For k = 2t, 2t − 1, . . . , 1 : χk := χk − χk+1 , F0 := χ1 . Fig. 6. Efficient computation of F (0) = F0

i.e. O(n2 k4 + n3 ) bit-operations, where k4 is the bit-size of the function values F (1), F (2), . . ., F (2t + 1) . A simple calculation shows that k4 ≤ k3 + 5n and consequently the operation count of Equation (11) is O(n2 k3 + n3 ) . In the case of the original protocol the bit-sizes of F (1), F (2), . . ., F (2t + 1) are slightly different and the corresponding esimate is k4 ≤ k3 + 3n log n + 2n . This results in a corresponding operation complexity of O(n2 k3 + n3 log n) . The GCD algorithm in step 2 of the Output requires O((log U )2 ) bit-operations if U is an upper bound of the nonnegative integers e and F (0) (see e.g. Cohen [5] or Mao [13]). It is pointed out in the proof of Theorem 2 that if e does not divide ϕ, the probability that GCD(e, F (0))  = 1 is roughly 1/e. Thus it is very unlikely that the rounds of the protocol need to be repeated several times. Finally, F (0) ≤ nL2 N 3 + nLN 4 ≤ 2nL2 N 4 . These results together with Theorems 1 and 3 can be summarized in the following theorem: Theorem 4. The new inversion protocol of Figure 4 reduces the complexity from O(n3 (log n)2 + n2 (log n)(log N ) + (log N )2 )

(12)

O(n3 log n + n2 log N + (log N )2 )

(13)

to bit-operations per player, where n is the number of players and N is the RSA modulus. In the following table the two functions A(n, N ) = n3 (log n)2 + n2 (log n)(log N ) + (log N )2 (cf. Equation (12)) and B(n, N ) = n3 log n + n2 log N + (log N )2 (cf. Equation (13)) are compared for realistic values of N (= 21024 ) and the number n of players: n A(n, 21024 ) B(n, 21024 ) A(n, 21024 )/B(n, 21024 ) 25 7.11 · 106 2.26 · 106 3.15 26 3.57 · 107 6.82 · 106 5.23 27 2.21 · 108 3.25 · 107 6.80 28 1.61 · 109 2.02 · 108 7.97 The table indicates that for an increasing albeit realistic number n of players the new protocol accelerates the original one by a factor of approximately log n . For smaller

262

P. Lory

values of n the improvement is less remarkable because there is no reduction in the (log N )2 -Term, which occurs both in (12) and in (13). Both protocols require (with very high probability) only two rounds of communication.

6 Conclusion The present paper reduces the complexity in the protocol in [3] for the distributed computation of inverses over a shared modulus by a new technique, which applies Newton’s divided-difference scheme. This efficiency improvement is particularly important for threshold variants (see [3]) of the signature schemes of Cramer and Shoup [6] and of Gennaro, Halevi and Rabin [7]. In these signature shemes the inversion operation is performed with a different RSA exponent e for each message signed.

References 1. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the 20th Annual Symposium on Theory of Computing (STOC 1988), pp. 1–10. ACM Press, New York (1988) 2. Catalano, D.: Efficient distributed computation modulo a shared secret. In: Catalano, D., Cramer, R., Damg˚ard, I., Di Crescenco, G., Pointcheval, D., Takagi, T. (eds.) Contemporary Cryptology, CRM Barcelona. Advanced Courses in Mathematics, pp. 1–39. Birkh¨auser, Basel (2005) 3. Catalano, D., Gennaro, R., Halevi, S.: Computing inverses over a shared secret modulus. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 190–206. Springer, Heidelberg (2000) 4. Chaum, D., Cr´epeau, C., Damg˚ard, I.: Multiparty unconditionally secure protocols. In: Proceedings of the 20th Annual Symposium on Theory of Computing (STOC 1988), pp. 11–19. ACM Press, New York (1988) 5. Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Berlin (2000) 6. Cramer, R., Shoup, V.: Signature schemes based on the Strong RSA Assumption. ACM Transactions on Information and System Security (ACM TISSEC) 3(3), 161–185 (2000) 7. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 8. Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In: Proceedings of the 17th ACM Symposium on Principles of Distributed Computing (PODC 1998), pp. 101–111. ACM Press, New York (1998) 9. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the 19th Annual Symposium on Theory of Computing (STOC 1987), pp. 218–229. ACM Press, New York (1987) 10. Hairer, E., Wanner, G.: Analysis by Its History. Springer, New York (1995) 11. Knuth, D.E.: The Art of Computer Programming. Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1971) 12. Lory, P.: Reducing the complexity in the distributed multiplication protocol of two polynomially shared values. In: Proceedings of the 3rd IEEE International Symosium on Security in Networks and Distributed Systems (SSNDS 2007). AINA 2007, vol. 1, pp. 404–408. IEEE Computer Society Press, Los Alamitos (2007)

Reducing the Complexity in the Distributed Computation of Private RSA Keys

263

13. Mao, W.: Modern Cryptography: Theory and Practice. Prentice Hall, Upper Saddle River (2004) 14. Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21(2), 120–126 (1978) 15. Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979) 16. Stoer, J., Bulirsch, R.: Introduction to Numerical Analysis. Springer, Berlin (2002) 17. Yao, A.C.: How to generate and exchange secrets. In: Proceedings of the 27th IEEE Symposium on Foundations of Computer Science (FOCS 1986), pp. 162–167. IEEE Computer Society, Los Alamitos (1986)

Efficiency Bounds for Adversary Constructions in Black-Box Reductions Ahto Buldas1,2,3, , Aivo J¨ urgenson2,4, and Margus Niitsoo1,3 1

Cybernetica AS, Akadeemia tee 21, 12618 Tallinn, Estonia Tallinn University of Technology, Raja 15, 12618 Tallinn, Estonia 3 University of Tartu, J.Liivi 2, 50409 Tartu, Estonia 4 Elion Enterprises Ltd, Endla 16, 15033 Tallinn, Estonia [email protected], [email protected], [email protected] 2

Abstract. We establish a framework for bounding the efficiency of cryptographic reductions in terms of their security transfer. While efficiency bounds for the reductions have been studied for about ten years, the main focus has been the efficiency of the construction mostly measured by the number of calls to the basic primitive by the constructed primitive. Our work focuses on the efficiency of the wrapper construction that builds an adversary for the basic primitive and has black-box access to an adversary for the constructed primitive. We present and prove a general upper bound theorem for the efficiency of black-box reductions. We also provide an example about upper bound for reductions between two security notions of cryptographic hash functions, which gives a negative answer to the open question about the existence of linear-preserving reductions from the so-called hash-then-publish time-stamping schemes to the collision resistance of the underlying hash function.

1

Introduction

The security of cryptographic schemes is usually proved based on certain assumptions. For instance, it is a well known fact that the ElGamal cryptosystem is secure only if the Diffie-Hellman assumption holds. Assumptions used can be very different, some being very specific computational problems and others being far more abstract in nature. The need to use assumptions has created a rather interesting subfield of cryptology that concerns itself with the theoretical bounds of their use. Much research has been put into studying what exactly can be constructed using, for instance, one-way permutations. More interestingly, what cannot be constructed from them has also been studied rather extensively. Research in that direction started with the seminal paper of Impagliazzo and Rudich [7], who used the Oracle separation method from Complexity theory to show that a black-box construction from one-way permutations to secret agreement would imply a contradiction and thus concluded that such a construction 

This research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science (EXCS), by Estonian SF grant no. 6944, and by EU FP6-15964: “AEOLUS”.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 264–275, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

265

cannot exist. Their result shows that any construction for a secret agreement would need more than just black-box access to a secure one-way permutation in order to be secure. While this approach does not completely rule out the existence of a construction for secret agreement from one-way permutations, it does show that the reduction would need some additional information about the permutations. As general constructions of that type are nearly unknown, their result is taken as strong evidence that a sensible construction cannot exist. To date, the connections between the most basic assumptions and most important primitives have been mapped out. Sadly, a review article of these results has yet to be written, although most important results are covered by [7,5]. As a brief overview, there is one equivalence class for private-key cryptology that contains symmetric encryption, signature schemes and bit commitment and is equivalent to assuming the existence of a one-way function. For public key primitives things are a bit more complicated but the existence of trapdoor one-way permutations allows one to construct just about everything and key agreement seems to be constructible from every other public key primitive. Since it is known that key agreement cannot be based on one-way permutations, this implies that privatekey cryptology is not enough to construct any public-key primitives. Many more non-reducibility results are known. With the reductions more or less mapped out with existence or non-existence results, attention was directed towards the efficiency of the reductions. Kim, Simon and Tetali [8] showed that a construction for a universal one-way hash function based on a one-way permutation needs to call that permutation at least  Ω( n/p(n)) times to construct a secure hash function h : {0, 1}n → {0, 1}(1−)n with security 2−p(n) . Their bound was later strengthened by Gennaro and Trevisan [6] to Ω(n/p(n)) that matches the best known construction. As much more efficient constructions are known for certain computational assumptions, these results can be interpreted as showing that although one-way permutations can be used to construct universal one-way hash functions in theory, it is not reasonable to do so in practice. Many other results in the same direction [3,4] seem to verify that intuition. Therefore, these are still infeasibility results, only of a weaker type. Our approach, however, goes to a different direction by studying the efficiency of the security reduction instead of the construction used for the new primitive. While bounds on construction efficiency allow one to show just how inefficient the new primitive has to be, bounds on the security part allow one to show just how much assumed security has to be lost when converting from one primitive to the other. In effect, we show that whenever an adversary to the new construction exists, any construction that converts that adversary to one for the original primitive has to do so at the cost of its adversarial efficiency measured by the time/success ratio. As such, we use a definition that is a refinement of polypreserving reductions defined by Luby [9]. However, to state those results, we first need to introduce some new notations. We begin by defining power c-secure reductions, in which we assume we know how the time-advantage ratio of an adversary to the newly constructed

266

A. Buldas, A. J¨ urgenson, and M. Niitsoo

primitive can be related to a time-success ratio of an attack against the underlying assumption. We note that this is the case for nearly all the positive reduction results known in modern cryptology. Furthermore, this definition allows us to use the oracle separation method to construct a framework for proving the lower bounds we desire. This article aims to provide a basis for further work on finding actual lower bounds on reduction efficiency and as such is mainly concerned with constructing the required tools for future work. However, to show how this approach can indeed be used, we also give two examples on how the theorem we provide can be used to obtain actual lower bounds.

2

Preliminaries and Notation

For bit-strings a and b we define ab as their concatenation. By x ← D we mean that x is chosen randomly according to a distribution D. If A is a probabilistic function or a Turing machine, then x ← A(y) means that x is chosen according to the output distribution of A on an input y. By Un we denote the uniform distribution on {0, 1}n. If D1 , . . . , Dm are distributions and F (x1 , . . . , xm ) is a predicate, then Pr [x1 ← D1 , . . . , xm ← Dm : F (x1 , . . . , xm )] denotes the probability that F (x1 , . . . , xm ) is true after the ordered assignment of x1 , . . . , xm . For functions f, g : N → R, we write f (k) = O(g(k)) [f (k) = Ω(g(k))] if there is c ∈ R, so that f (k) ≤ cg(k) [f (k) ≥ cg(k)] for sufficiently large k. We write f (k) = Θ(g(k) if f (k) = O(g(k)) and f (k) = Ω(g(k)). We write f (k) = ω(g(k)) −ω(1) if lim fg(k) , then (k) = 0 and f (k) = o(g(k)) if g(k) = ω(f (k)). If f (k) = k k→∞

f is negligible. A Turing machine M is polynomial-time (poly-time) if it runs in time k O(1) , where k denotes the input size. By an oracle Turing machine we mean an incompletely specified Turing machine S that comprises calls to oracles. The description can be completed by defining the oracle as a function O : {0, 1}∗ → {0, 1}∗ . In this case, the machine is denoted by S O . The function y ← O(x) does not have to be computable but has a conditional running time t(x), which does not necessarily reflect the actual amount of computations needed to produce y from x. The running time of S O comprises the conditional running time of oracle calls where we assume that each call O(x) takes t(x) steps. An oracle O is poly-time if t(x) =|x|O(1) , where |x| denotes the bit-length of x. We say that S is a poly-time oracle machine if S O runs in poly-time, whenever O is poly-time. By a non-uniform poly-time oracle machine we mean an ordinary poly-time oracle machine S together with a family A = {ak }k∈N of (advice) bitstrings ak with length k O(1) . For any oracle O and any input x it is assumed that S O (x) has access to the advice string a|x|. Usually, the advice strings are omitted for simplicity, but their presence must always be assumed when S is non-uniform. In the following we do not use the non-uniformity assumption anywhere and as such can rather safely assume that the machines can be non-uniform. We also define Timek (A, f ) as the expected running time of A on breaking fk ∈ f where the expectation is taken over all the possible randomness of A. Analogously, we define Advk (A, f ) as the average success probability of A in breaking fk ∈ f .

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

3

267

Cryptographic Reductions

Reductions have been one of the main tools of cryptologists since the beginning of the modern era in the field. At first, reductions were just used to show that breaking the security is as hard as some given computational problem and thus, if we assume that the computational problem is intractable, we have a secure system. However, as the field of cryptology expanded, reductions found use in many other applications as well. Most importantly, they were the main tool used in mapping out the limits of what can be constructed from the most general assumptions such as the existence of a one-way function. As reductions turned out to be a very effective tool, people soon took interest in exploring the limits of their use. Inspired by the results in complexity theory obtained by Baker, Gill and Solovay [1], Impagliazzo and Rudich [7] were the first to formally define a so-called black-box cryptographic reduction, with the only aim of proving that such a thing cannot exist between secret agreement and one-way permutations. In essence, a black-box construction of one primitive from another means that the constructed primitive is allowed to call the underlying primitive but is unable to gather any extra knowledge about it by any other means. This notion might seem a little restrictive at first, but in fact most of the reductions used in cryptology even to date still fit that model. However, even more general reduction hierarchy was introduced by Reingold et al. [10]. We use a somewhat informal approach in defining a primitive by saying that a primitive is a security criterion on some functions along with all the functions on which that criterion makes sense. For example, the security criterion for a oneway function f : {0, 1}∗ → {0, 1}∗ states that for every probabilistic poly-time adversary A:   Advk (A) = Pr x ← {0, 1}k , x ← A(f (x)) : f (x ) = f (x) = k −ω(1) . The primitive of one-way functions is this criterion together with the class of all functions of type f : {0, 1}∗ → {0, 1}∗ some of which might not be secure instances. For a fully formal approach, see Reingold et al. [10]. A black-box reduction of a primitive P to a primitive Q can be formalized as two oracle Turing machines S and P such that if f ∈ Q then Pf ∈ P and if A breaks the security criterion of P for Pf then then SA,f breaks the security criterion of Q for f . The definition seems somewhat complex but the idea behind it is actually rather simple – essentially it says is that a reduction has to provide an algorithmic means of constructing an instance of the new primitive with the help of the old (P) and that if that new construction is insecure then the original underlying primitive instance also has to be so as we can construct an adversary against it with S.

4

Power c Secure Reductions

Thus far, the construction P has been the main object of study in terms of efficiency. We, however, study the efficiency of S instead. While the efficiency

268

A. Buldas, A. J¨ urgenson, and M. Niitsoo

of P tells us just how effectively the new construction can be implemented, the efficiency of S actually tells us how much security we can guarantee for the new primitive on the assumption that the old primitive is secure in some sense. Suppose, for instance, that the most efficient adversary for the original primitive always takes at least 1000 steps to break it. Now, suppose we know that S construction calls the adversary for the new construction 10 times to break the old construction. This means that any adversary for the new construction has to make at least 100 steps on each call as otherwise we could use the good adversary in the construction S to create an adversary for the original primitive that works in less than 1000 steps. This informal1 argument should convince the reader that the efficiency of the construction S is indeed important in determining how secure we can prove the new construction. However, the number of steps the adversary takes to break a primitive is usually not the best measure for its efficiency. Practical adversaries are usually probabilistic and are not guaranteed to always break the primitive. This implies that it usually makes more sense to define the efficiency of the adversary to be its time/success ratio (the expected number of steps it takes on a run divided by the probability of success), which can be interpreted as the expected time to break the primitive if you just kept on running the adversary until it finally succeeds. This motivates the following definition: Definition 1. Let c > 0 be a positive real number. A Power c-secure fully blackbox reduction from primitive P to primitive Q is a pair (P, S) of poly-time oracle machines, satisfying the following two conditions: 1. For any function f that implements Q, the function Pf implements P. 2. For any pair (A, f ) of functions we have  c Timek (SA,f , f ) Timek (A, Pf ) O(1) ≤k · . Advk (SA,f , f ) Advk (A, Pf ) The reduction is uniform, if both P and S are uniform, and non-uniform if both of them are allowed to be non-uniform. As said before, it is generally assumed that the adversary construction knows nothing about the oracles that are given to it save for their basic syntactic functionality and the previous definition captures that formally as well. In some practical reductions, however, it is assumed that the construction S can actually be dependent on the success probability δ = Advk (A, Pf ) of A. For example, choosing the number of iterations of A when constructing strong one-way functions from weak ones [9] uses that knowledge in an essential way. Many other reductions also use this extra information and as such cannot be considered fully black-box anymore. As it turns out, however, allowing for such knowledge causes no significant theoretical problems and so we alter our original definition slightly to obtain: 1

Informal to the point of being incorrect unless we assume the adversaries always make the same number of steps independent of the input. This numerical example is here just to provide intuition to the formalization.

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

269

Definition 2. We say that there exists a power c-secure success-specific blackbox reduction from primitive P to primitive Q iff there is a poly-time oracle machine P and a polynomial p such that for every δ > 0 there is a poly-time oracle machine Sδ so that for all A such that Advk (A, Pf ) ≥ δ the following conditions hold: 1. For any function f that implements Q, the function Pf implements P. 2. For any pair (A, f ) of functions we have  c Timek (SA,f Timek (A, Pf ) δ , f) ≤ p(k) · . Advk (A, Pf ) Advk (SA,f δ , f) for sufficiently large values of k. Note that black-box reductions that satisfy Def. 2 for any certain (unspecified) c were first defined by Luby [9] and were called polynomial-preserving reductions and the reductions with c = 1 were called linear-preserving.

5

The Lower Bound Theorem

We are now ready to prove the theorem that gives the means of proving the lower bounds described in the introduction. Theorem 1. If for every pair (S, P) of poly-time oracle machines and for every δ > 0 there is a probability distribution (A, f ) ← ΩS,P,δ so that: – f implements Q and Pf implements P for every (A, f ) in the range of ΩS,P,δ ; – Advk (A, Pf ) = δ and Timek (A, Pf ) = O(k c0 ) for some c0 for all (A, f ) in the range of ΩS,P,δ ; – for every polynomial q(k) there exists δ(k) such that limk→∞ δ(k) = 0 and:   E Timek (SA,f , f ) c (A,f )←Ω δ(k) S,P,δ(k) lim · >1 , k→∞ q(k) E [Advk (SA,f , f )] (A,f )←ΩS,P,δ(k)

then there are no power c-secure success-specific black-box reductions of P to Q. Proof. Assume to the contrary that there exists such a reduction (Sδ , P). Then by the assumptions there exists a polynomial p(k) so that for every δ > 0 and for every pair (A, f ) of functions such that Advk (A, Pf ) ≥ δ we have  c Timek (SA,f Timek (A, Pf ) δ , f) ≤ p(k) · (1) δ Advk (SA,f δ , f) A,f c for large k. This implies δ c Timek (SA,f δ , f ) ≤ p(k)t (k) Advk (Sδ , f ), where t(k) = Timek (A, Pf ). Let ΩS,P,δ be the distribution guaranteed by the assumption of the theorem. Then,



A,f c δ c E Timek (SA,f , f ) ≤ p(k)t E Adv (S , f ) , k δ δ A,f

A,f

270

A. Buldas, A. J¨ urgenson, and M. Niitsoo

Where (A, f ) ← ΩS,P,δ . Let q(k) denote a polynomial upper bound for p(k)tc (k) (that exists because t(k) = O(k c0 ) for all A). Since the preceding inequality holds for all δ, we also have

E Timek (SA,f , f) c δ(k) δ(k) A,f

≤1 lim · k→∞ q(k) E Advk (SA,f , f ) δ(k) A,f

for every possible δ(k) such that limk→∞ δ(k) = 0, a contradiction.

6



A Simple Example

As an example of the use of this theorem we give a proof that any reduction from collision-resistant functions to one-way functions has to be at least linear2 . Although the fact itself is rather straightforward, this proof serves as a toy example to introduce the technical complexities of using Theorem 1. However, we first need to introduce some definitions: Definition 3. By a cryptographic (2-1) hash function we mean a function family hk : {0, 1}p(k) × {0, 1}2k → {0, 1}k where p(k) > k is a polynomial. The first argument is the so-called function index which is mostly chosen uniformly at random. Definition 4. A cryptographic 2-1 hash function h = {hk } is said to be collision resistant if for every poly-time adversary A:

Advk (A) = Pr r ← {0, 1}p(k) , (x1 , x2 ) ← A(r) : x1

= x2 , hk (r, x1 ) = hk (r, x2 ) = k −ω(1) . Definition 5. A cryptographic 2-1 hash function h = {hk } is said to be one-way if for every poly-time adversary A:   Advk (A) = Pr x ← {0, 1}k , x ← A(hk (x)) : hk (x ) = hk (x) = k −ω(1) . It actually turns out we need one more technical but rather natural assumption. Essentially, we want the running time to be relatively independent of the output distribution of the adversary used as the black box oracle assuming that its mean value of success is fixed and known. Definition 6. We say that the reduction is oracle-independent if the running time Timek (SA,f δ , f ) of S is between m(k, δ) and u(k)m(k, δ) for all oracles Ak that achieve an advantage of δ against Pf where m is polynomial and u(k) = 2o(k) and does not depend on δ. 2

Classical properties of hash functions and the relations (implications and separations) between them are well studied by Rogaway and Shrimpton [11]. However, it is still not that obvious whether the known constructions are optimal in terms of efficiency.

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

271

After these definitions we can now state and prove the result: Theorem 2. Let h = {hk } be a cryptographic 2-1 hash function that is collisionresistant. Then for c < 1 there exist no power c-secure success-specific oracleindependent (possibly non-uniform) black-box reductions SA,f showing that h is also a one-way function. Proof. Fix a c < 1 and a success-specific adversary construction family S = {Sδ }. According to the theorem, we want to be able to exhibit oracle distributions ΩS,P,δ (0 < δ ≤ 1) and a series of δk for any given polynomial q(k) such that

Aδk ,h E Time (S ) k δk δ c (Aδ ,h)←ΩS,P,δk

>1 lim k · k Aδ ,h k→∞ q(k) E Advk (Sδk k ) (Aδk ,h)←ΩS,P,δk

so that δk would also converge to 0 as k goes to infinity. Therefore assume we have a fixed polynomial q(k). Let m(k, δ) and u(k) be the functions guaranteed by oracle-independence for Sδ . Then define the sequence δk = (ku(k)q(k))−1/ where  = 1 − c. It is clear that limk→∞ δk = 0 as desired, since kq(k) is a polynomial with degree at least 1. We choose f to be a random oracle and choose Aδ from all the oracles that break the given f on exactly δ fraction of inputs3 We also assume that A calls take unit time. The best way to find a collision for a random oracle with the help of the inversion adversary is to choose a random input x to f and then to call A(f (x)) to try to get a second pre-image for f (x). Since A succeeds with probability δ, the chance of not having a collision after using this method m times is (1 − δ)m . If the one-wayness adversary is not used, the best possible attack against a random oracle is the birthday attack, that has a probability of success p(m, k) = O(m2 2−k ) if k is the security parameter and m is the number of calls to f . This gives us an upper bound for the success probability for the construction: f (δk , m) = 1−(1−δk )m +p(m, k) < mδk +p(m, k) for large enough k (as δk goes to 0 as k increases). This gives us:

Aδ ,h E Timek (Sδk k ) 1− (A ,h)←Ω δk δk1− m(k) δ S,P,δk

· k ≥ Aδ ,h q(k) q(k)f (δk , u(k)m(k)) E Advk (Sδk k ) (Aδk ,h)←ΩS,P,δk

=

δk1− m(k) q(k)(u(k)m(k)δk + p(u(k)m(k), k))

δk− q(k)u(k)(1 + O(u(k)m(k)δ −1 2−k )) k ≥ >1 2

=

for large enough k since u(k)m(k)δ −1 = 2o(k) according to the assumptions.  3

We mean that the oracle distribution is a uniform distribution over all possible f : {0, 1}2k → {0, 1}k and all Aδ that fit the given description for the given f .

272

7

A. Buldas, A. J¨ urgenson, and M. Niitsoo

A Practical Example

We now give another example of using Theorem 1. We stick to properties of hash functions and introduce the property of division-resistance important in some time-stamping applications [2] and in the security against the so-called Nostradamus attacks [12]. As the length of the paper is limited, we will not provide an introduction into time-stamping and to Nostradamus attacks. A reader more interested in them should refer to the two papers [2,12]. Definition 7. A cryptographic 2-1 hash function h = {hk } is said to be divisionresistant if for every poly-time adversary A = (A1 , A2 ):

Pr r←{0, 1}p(k) , y←A1 (r), x1←{0, 1}k , x2←A2 (y, x1 ): hk (r, x1x2 )=y = k −ω(1) . We are now ready to state the result. The proof is, yet again, rather technical and the reader is advised to try to understand the previous proof before trying this one. Theorem 3. Let h = {hk } be a cryptographic 2-1 hash function that is collisionresistant. Then for c < 1.5 there exist no power c-secure success-specific oracleindependent (possibly non-uniform) black-box reductions SA,f showing that h is also division-resistant. Proof. We base the proof on theorem 1. As such, fix a c < 1.5 and a successspecific adversary construction S = {Sδ }. According to the theorem, we want to be able to exhibit oracle distributions ΩS,P,δ (where 0 < δ ≤ 1) and a series of δk for any given polynomial q(k) such that

Aδk ,h E Time (S ) k δ k δ c (Aδ ,h)←ΩS,P,δk

>1 lim k · k A δ ,h k→∞ q(k) E Advk (Sδk k ) (Aδk ,h)←ΩS,P,δk

so that δk would also converge to 0 as k goes to infinity. Let q(k) be a polynomial and let m(k, δ) and u(k) be the functions guaranteed by oracle-independence for Sδ . Define the sequence δk = (ku(k)2 q(k))−1/ where  = 1.5 − c. It is clear that limk→∞ δk = 0 as desired, since kq(k) is a polynomial with degree at least 1. We now begin constructing the oracle distributions ΩS,P,δ . We choose the hash functions h = {hk } to be taken from the set of all possible 2-1 cryptographic hash functions where πr,x (y) = h(r, xy) is a uniformly chosen random permutation that is chosen independently for each choice of r and x ∈ {0, 1}k . This ensures that we can always break division-resistance with respect to any output and fixed first half of the input. This choice of h also makes finding collisions hard. Without an adversary oracle A, the best possible tactic (given a fixed r) is clearly to just choose a sequence of random inputs x1 ||y1 , x2 ||y2 , . . . , xm ||ym so that all yi are different and then check if any pair of them gives a collision. Denote the probability of such an attack succeeding after at most m different h-queries

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

273

by p(m, k). Clearly, the birthday bound applies and p(m, k) = O(m2 2−k ). It is worth noting that p(u(k)m(k, δk ), k) = o(1). We now describe the behavior of Aδ = (A1δ , A2δ ). The part A1δ is always the same – given k, it just returns 0k . The behavior of A2δ , however, may vary for different values of k. Let m(k) = m(k, δk ). There are two possible choices for a given k depending on m(k). If m(k) > δk−0.5 then take as A2δ (k, ·) an oracle that always succeeds on a δ-fraction of randomness strings for h while always failing on the others. Otherwise, if m(k) ≤ δk−0.5 , choose Aδk (k, ·) to be an oracle that breaks hk for every randomness r but for each of them on only a δk fraction of possible partial inputs. In both cases the oracle is not one fixed choice, but rather chosen uniformly from amongst all the oracles matching that description. It should be clear that the success probability of Aδ is δ. Note, however, that the two oracle types we use are very different in terms of breaking collision-resistance. The first one is such that if it works on the given r, we are guaranteed a collision with a query to A1 and two queries to A2 while if it does not, the oracle is completely useless. The second one is always somewhat useful, but we normally need a lot more queries to find the collision. We will now analyze the time-success ratio of Sδk . We look at three cases for a given k, again depending on m(k). We first examine the case where m(k) ≤ δk−0.5 . For an adversary to break collision resistance, it either has to be able to find two partial inputs for which Aδk gives an answer or to find a collision with just h queries. The case where we find just one input with Aδk gives us no more information than a random h query that just happens to give an output of 0k and as such is equivalent with the case where we just used h queries. It is clear then, that after at most m queries to the oracle the success function is bounded from above by  f (m, δ) = 1 − mδ(1 − δ)m−1 − (1 − δ)m + p(m, k) = O m2 (δ 2 + 2−k ) . Thus



Aδk ,h Time (S ) k δk δk1.5− (Aδk ,h)←ΩS,P,δk m(k)δk1.5−

· ≥ Aδ ,h q(k) q(k)f (u(k)m(k), δk ) E Advk (Sδk k )

E

(Aδk ,h)←ΩS,P,δk

=

m(k)δk1.5− q(k)O (u(k)2 m(k)2 (δk2 + 2−k ))

≥

δk1.5− k = , 1.5 2 c0 u(k) q(k)δk (1 + o(1)) 2c0

where c0 is the constant derived from O-notation and we assume k to be large enough so that the o(1) value is less than 1. For the other two cases the analysis is somewhat simpler. If δk−0.5 < m(k) ≤ −1.5 δk then the analysis is a little bit more complicated:

274

A. Buldas, A. J¨ urgenson, and M. Niitsoo

Timek (SAδkδ ,h ) (Aδk ,h)←ΩS,P,δk m(k)δk1.5−

· ≥ Aδ ,h q(k) q(k)(δk+O(u(k)2 m(k)2 2−k )) E Advk (Sδk k )

δk1.5−

E



(Aδk ,h)←ΩS,P,δk

≥

δk− k ≥ . q(k)(1+O(δk−4 2−k )) 2c0

Finally, if m(k) > δk−1.5 then

Aδk ,h E Time (S , h) k δk δk1.5− (Aδk ,h)←ΩS,P,δk δ(k)− k

· ≥ ≥ ku(k)2 ≥ , Aδk ,h q(k) q(k) 2c 0 E Advk (Sδk , h) (Aδk ,h)←ΩS,P,δk

where the first inequality holds simply because the success probability of SA,h is bounded by 1. In all three cases the value is larger than 2ck0 for large enough k and thus goes to infinity as k does so we can apply Theorem 1.  As we see, the proof is quite technical and may seem too much for just an example. However, this theorem has rather interesting implications for Merkletree based hash-then-publish time-stamping schemes whose security relies on the collision-resistance of the underlying hash function. Such schemes have been used in practice for many years. The division-resistance condition corresponds to the security requirement for the hash-then publish time-stamping for just two documents and this result thus gives a bound on how much we could tighten the security proofs of the time-stamping scheme based solely on the collisionresistance assumption. This example result answers to the open question in [2] about the existence of linear-preserving (i.e. with c = 1) reductions from secure hash-and-publish time-stamping schemes to the collision-resistance of the underlying hash function. Our result implies that any such reduction should have c ≥ 1.5. All known reductions of secure hash-then-publish time-stamping systems to the collision-resistance are quadratic (c = 2) and hence, the existence of a reduction with 1.5 ≤ c < 2.0 is still an open question.

8

Conclusions

We have presented a framework for proving lower bounds on the efficiency of cryptographic reductions in terms of time-success ratio of black-box adversary constructions. We have also shown that this framework can actually be used to produce meaningful and interesting lower bounds for reductions actually used in practice that are not too far from best constructions already known. Our work leaves some related open questions for further study. First of all, it would please us very much to see this framework being used to show some other lower bounds or to even show that some construction used in practice is actually optimal in the sense of time-advantage ratio.

Efficiency Bounds for Adversary Constructions in Black-Box Reductions

275

References 1. Baker, T., Gill, J., Solovay, R.: Relativizations of the P =?NP question. SIAM Journal on Computing 4, 431–442 (1975) 2. Buldas, A., Saarepera, M.: On Provably Secure Time-Stamping Schemes. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 500–514. Springer, Heidelberg (2004) 3. Gennaro, R., Gertner, Y., Katz, J.: Lower bounds on the efficiency of encryption and digital signature schemes. In: Proceedings of the thirty-fifth annual ACM symposium on Theory of computing, pp. 417–425 (2003) 4. Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM Journal on Computing 35, 217–246 (2006) 5. Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California, November 2000, pp. 325–335 (2000) 6. Gennaro, R., Trevisan, L.: Lower Bounds on the Efficiency of Generic Cryptographic Constructions. In: FOCS 2000, pp. 305–313 (2000) 7. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proc. of the Twenty First Annual ACM Symposium on Theory of Computing, pp. 44–61 (1989) 8. Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutationbased hash functions. In: Proceedings of the 40th Annual Symposium on Foundations of Computer Science, pp. 535–542 (1999) 9. Luby, M.: Pseudorandomness and cryptographic applications. Princeton University Press, Princeton (1996) 10. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004) 11. Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004) 12. Stevens, M., Lenstra, A., de Weger, B.: Chosen-prefix collisions for md5 and colliding x.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)

Building Key-Private Public-Key Encryption Schemes Kenneth G. Paterson and Sriramkrishnan Srinivasan Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 0EX, U.K. {kenny.paterson,s.srinivasan}@rhul.ac.uk

Abstract. In the setting of identity-based encryption with multiple trusted authorities, TA anonymity formally models the inability of an adversary to distinguish two ciphertexts corresponding to the same message and identity, but generated using different TA master public-keys. This security property has applications in the prevention of traffic analysis in coalition networking environments. In this paper, we examine the implications of TA anonymity for key-privacy for normal public-key encryption (PKE) schemes. Key-privacy for PKE captures the requirement that ciphertexts should not leak any information about the public-keys used to perform encryptions. Thus key-privacy guarantees recipient anonymity for a PKE scheme. Canetti, Halevi and Katz (CHK) gave a generic transform which constructs an IND-CCA secure PKE scheme using an identitybased encryption (IBE) scheme that is selective-id IND-CPA secure and a strongly secure one-time signature scheme. Their transform works in the standard model (i.e. does not require the use of random oracles). Here, we prove that if the underlying IBE scheme in the CHK transform is TA anonymous, then the resulting PKE scheme enjoys key-privacy. Whilst IND-CCA secure, key-private PKE schemes are already known in the standard-model, our result gives the first generic method of constructing a key-private PKE scheme in the standard model. We then go on to investigate the TA anonymity of multi-TA versions of well-known standard model secure IBE schemes. In particular, we prove the TA anonymity and selective-id IND-CPA security of a multi-TA version of Gentry’s IBE scheme. Applying the CHK transform, we obtain a new, efficient keyprivate, IND-CCA secure PKE scheme in the standard model. Keywords: public-key encryption, key-privacy, identity-based encryption, multiple trusted authorities, TA anonymity, standard model.

1

Introduction

Building public-key encryption (PKE) schemes that are secure in a very strong sense, satisfying indistinguishability against chosen ciphertext attacks or IND-CCA secure, remains a very active area of research. Only a handful of approaches [20,13,11] are known for constructing IND-CCA secure PKE schemes C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 276–292, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Building Key-Private Public-Key Encryption Schemes

277

without resorting to the Random Oracle Model [3]. In the usual public-key setting, the security notion termed key-privacy has also gained increasing importance in recent years, in the context of anonymous communications [2]. While specific schemes such as ElGamal, Cramer-Shoup and RSA-based schemes are known to be key-private [2], no generic method is known for constructing a key-private PKE scheme. Following the results of Cocks [12], and the pairing-based solutions of Sakai, Ohigishi and Kasahara [22] and Boneh and Franklin [7], identity-based cryptography (IBC) [23] has become one of the most active areas of cryptographic research. Canetti et al. [11] give a generic construction, now called the CHK transform, to obtain an IND-CCA secure PKE scheme from an IBE scheme that is selective-id IND-CPA secure, and a strong one time signature scheme. No mention is made in [11] of the key-privacy of the PKE schemes arising from the CHK transform. In the world of identity-based encryption (IBE), the setting of multiple trusted authorities has recently been treated rigorously [21]. In this setting, the relatively new security property termed trusted authority (TA) anonymity captures the inability of an adversary to distinguish two ciphertexts corresponding to the same message and identity, but generated using different TA master public-keys. At a high level, in this paper, we prove that a key-private PKE scheme is obtained from the CHK transform if the underlying IBE scheme has a weak form of TA anonymity. Our result gives the first generic method for constructing a PKE scheme in the standard model that is both key-private and IND-CCA secure. Based on our current results, we argue that the relatively new notion of TA anonymity is not only of interest in the area of anonymous communications, for example in thwarting traffic analysis [21], but also has rather subtle cryptographic implications for schemes that use IBE as a building block. It therefore merits further study. We investigate the TA anonymity of multi-TA versions of well-known IBE schemes in the standard model and we are easily able to show that they do not satisfy the notion of TA anonymity. By contrast, we prove that a multi-TA version of Gentry’s IBE scheme [15] is TA anonymous. Instantiating the CHK transform with this multi-TA Gentry scheme gives us a concrete and reasonably efficient key-private, IND-CCA secure PKE scheme in the standard model.

2

Background

Anonymous encryption was historically motivated in the context of mobile communication. In the standard public-key setting, entities A and B exchange encrypted messages using each others’ public-keys, over a broadcast medium, where eavesdroppers can see all ciphertexts on the network. It is reasonable to assume that A and B will want to keep their identities hidden from such eavesdroppers and this is possible only when ciphertexts do not leak information about the public-keys used to create them, a notion formalized as key-privacy in [2]. In almost all the existing literature on IBE, with a small number of exceptions, there is a single TA that issues keys to all the users in the system, and all ciphertexts are created using the public parameters of that single TA. This TA is also known as the private key generator (PKG) in the literature. In this traditional single-TA

278

K.G. Paterson and S. Srinivasan

identity-based setting, the notions of security roughly equivalent to the IND-CPA and IND-CCA security notions for PKE were first formalized in [7]. In the INDCPA and IND-CCA games for IBE, the adversary is also given access to a private key extraction oracle with suitable restrictions on its use. In IBE, the security notion equivalent to key-privacy in PKE is termed recipient anonymity. The systematic study of recipient anonymity was initiated in [1], motivated both by its intrinsic interest in IBE and for its application in constructing public-key encryption with keyword search (PEKS) schemes. Recipient anonymity models the requirement that ciphertexts should not leak the identity of their intended recipients. It is possible to envisage scenarios with multiple, independent TAs perhaps sharing some common system parameters. The systematic study of security of IBE in this multi-TA setting was initiated in [21]. In such a setting, in addition to the usual IBE security notions of indistinguishability and recipient anonymity, the notion of TA anonymity arises naturally. TA anonymity captures the requirement that an adversary should find it difficult to distinguish ciphertexts produced using different TA master public-keys, even if the ciphertext is for the same message and identity string. TA anonymity has practical significance, again in the context of anonymous communications. For example, if a coalition of TAs operate in a wireless setting where all ciphertexts can be captured from the network by an adversary, and if the ciphertext were to somehow leak the identity of the TA, this would open up avenues for traffic analysis [21]. However, the cryptographic implications of TA anonymity for schemes that use IBE as a building block have as yet not been studied.

3

Our Contributions

We consider the CHK transform in the setting of multiple public keys that is needed when studying key-privacy. This quite naturally gives rise to a multi-TA IBE setting of the type considered in [21]. We show how to modify the CHK construction to reflect this setting. We then prove that the key-privacy of the PKE scheme resulting from our modified CHK transform follows from a weak form of TA anonymity for the underlying multi-TA IBE scheme. Our result gives us the first generic method of constructing a PKE scheme in the standard model that is key-private, as well as being IND-CCA secure. We note that the transform of Boneh and Katz [8] builds on the ideas of [11] to give a more efficient construction of PKE from IBE. We can prove similar results for the Boneh-Katz transform. (The results from both [11,8] appear in [6].) Due to constraints of space and bearing in mind that the proof of security in [8] is more involved and that the our aim in this paper has been to highlight the significance of TA anonymity, especially with relation to building key-private PKE schemes, we have limited our discussions to the original CHK transform. To obtain concrete PKE schemes that are key-private and IND-CCA secure, we study the TA anonymity properties of multi-TA versions of the known standard-model IND-CPA secure IBE schemes. We are able to prove that a multi-TA version of the scheme of Gentry [15] is TA anonymous. We are also

Building Key-Private Public-Key Encryption Schemes

279

able to show that multi-TA versions of the two popular standard model schemes of Boneh and Boyen in [5], termed BB1 and BB2 in the literature, and multi-TA versions of the schemes related to the BB1 scheme, such as those of Waters [24] and Naccache [19], trivially do not meet the notion of TA anonymity.

4

Definitions

In this section, we provide basic definitions needed for the remainder of the paper. Here, we omit standard definitions for PKE, IBE and strongly secure one-time signatures which can be found in the full version of this paper or for example in [6]. Definition 1. A pairing-friendly group generator PairingGen is a polynomial time algorithm with input 1k and output a tuple (G, GT , e, p, g). Here G, GT are groups of prime order p, g generates G, and e : G × G → GT is a bilinear, non-degenerate and efficiently computable map. For ease of presentation, we work exclusively in the setting where e is symmetric; our definitions and results can be generalised to the asymmetric setting where e : G1 ×G2 → GT , with G1 and G2 being different groups. Further details concerning the basic choices that are available when using pairings in cryptography can be found in [14]. Definition 2. We define the advantage of an algorithm A in solving the Truncated Decisional -Augmented Bilinear Diffie-Hellman Exponent (-TDABDHE) problem in (G, GT ) to be:  Adv-TDABDHE (k) = | Pr(A(g  , g(l+2) , g1 , g2 , . . . , gl , e(g(l+1) , g  )) = 1) A  − Pr(A(g  , g(l+2) , g1 , g2 , . . . , gl , Z) = 1)| $

$

$

i

where α ← Z∗p , Z ← GT , g  ← G, gi = g (α ) and gi = g  (α ) . Here, we implicitly assume that parameters (G, GT , e, p, g) are given to A as additional inputs. The distribution on the left is referred to as PABDHE and that on the right is referred to as RABDHE . i

We note that this is the same assumption that is used to prove the security of the IBE scheme presented in [15]. Definition 3. We say that the (t, , )-TDABDHE problem is hard in (G, GT ) if no t-time algorithm has advantage at least  in solving the -TDABDHE problem in (G, GT ). Definition 4. A function (k) is said to be negligible if, for every c, there exists kc such that (k) ≤ k −c for every k ≥ kc .

5

Multi-TA IBE

A multi-TA IBE scheme is defined in [21] in terms of five algorithms:

280

K.G. Paterson and S. Srinivasan

– CommonSetup: On input 1k , outputs params, a set of system parameters shared by all TAs; T = {ta i : 1 ≤ i ≤ n} will represent the set of (labels of) TAs, where n = n(k) ∈ N. – TASetup: On input params, outputs a master public-key mpk (which includes params), and a master secret key msk . This algorithm is randomized and executed independently for each TA in T . – KeyDer, Enc, Dec: These are all as per a normal IBE scheme. Following the reasoning in [21] we note that for the concrete schemes and transforms considered in this paper, common parameters are needed in order to achieve the notion of TA anonymity; doing so without having some (nontrivial) common parameters is an interesting open problem. We note that it is not unreasonable to assume that the different TAs may share some common system parameters (e.g. the output of a pairing parameter generator) [21]. In fact the possibility of TAs sharing parameters becomes much more likely when we consider the greater complexity of setting up an IBE scheme (where consideration has to be given, among other things, to the choice of elliptic curves, groups used in Pairings, the representation of elements etc.) compared to the “relative simplicity” of setting up, say an RSA scheme. The IEEE P1363.3 working group aims to produce a set of standards specific to identity-based cryptography to address these difficulties. Indeed, sharing of common parameters is inevitable if any kind of interoperability is desired between TAs and such scenarios are becoming more and more desirable [4]. 5.1

Security Models for Multi-TA IBE

In all the security games that follow, we associate to an adversary A and a bit b ∈ {0, 1}, the advantage of the adversary for a “notion-attack” combination, which is defined to be:   notion-atk-b (k) =  notion-atk-1 (k) = 1] − Pr[Expnotion-atk-0 (k) = 1] . AdvA Pr[ExpA  A

A scheme is said to be “notion-atk”-secure if the advantage of all PPT adversaries is negligible as a function of the security parameter k. We detail the m-IND-RA-TAA-CCA experiment as defined in [21] that simultaneously captures message indistinguishability, recipient anonymity and TA anonymity in the multi-TA IBE setting, against chosen ciphertext adversaries. This model also gives the adversary access to a Corrupt oracle that returns the master secret key for a TA of the adversary’s choice. In the security game defined below, TASet represents the set of TAs that have been corrupted, i.e. queried for their master secret keys, IDSet ta represents the set of identities queried for private keys for each ta ∈ T , while CSet ta represents the set of identity/ciphertext pairs on which decryption queries have been performed for each ta ∈ T . In these games, MPK = {mpkta : ta ∈ T } and MSK = {mskta : ta ∈ T } represent the set of all master public-keys and all master secret keys, respectively.

Building Key-Private Public-Key Encryption Schemes

Experiment Expm-IND-RA-TAA-CCA-b (k) A params ← CommonSetup(1k ) TASet ← ∅ ∀ta ∈ T , (mpk ta , msk ta ) ← TASetup(params), IDSet ta ← ∅ and CSet ta ← ∅ (ta 0 , ta 1 , id 0 , id 1 , m 0 , m 1 , state ) ← ACorrupt,KeyDer,Dec (find, MPK ) ∗ c ← Enc(mpk ta b , id b , m b ) b ← ACorrupt,KeyDer,Dec (guess, c∗ , state )

If {m 0 , m 1 }  MsgSp or |m 0 | = |m 1 | then Return 0 If (ta0 = ta1 and id0 = id1 and m0 = m1 ) then Return 0 If ta 0 ∈ / TASet , ta 1 ∈ / TASet, id 0 ∈ / IDSet ta 0 , id 1 ∈ / IDSet ta 1 , (id 0 , c∗ ) ∈ / CSet ta 0 and (id1 , c∗ ) ∈ / CSet ta 1 then Return b else Return 0

281

Oracle Corrupt(ta) TASet ← TASet ∪ {ta} Return msk ta Oracle KeyDer(ta, id ) IDSet ta ← IDSet ta ∪ {id } usk id ,ta ← KeyDer(msk ta , id) Return usk id ,ta Oracle Dec(ta, id, c) CSet ta ← CSet ta ∪ {(id , c)} usk id ,ta ← KeyDer(msk ta , id) m ← Dec(mpk ta , usk id ,ta , c) Return m

By placing suitable restrictions on the m-IND-RA-TAA-CCA security notion, we can define other, weaker security notions appropriate to the multi-TA IBE setting. For example, CPA secure versions can be defined by removing the adversary’s access to the decryption oracle. By removing the adversary’s access to the Corrupt oracle we define “restricted” versions, and appropriate selective-id versions can be defined by having the adversary commit ahead of time to the identities used in the challenge query. Furthermore, setting m 0 = m 1 , id 0 = id 1 or ta 0 = ta 1 gives security notions appropriate to specific circumstances. We will elaborate on some of these security models as we encounter them in this paper.

6

Key-Privacy of the CHK Transform

Canetti et al. [11] give a construction that builds an IND-CCA secure PKE scheme from a selective-id IND-CPA secure IBE scheme and a strongly secure one-time signature scheme. We first describe a security notion for PKE which we term IND-IK-CCA and which simultaneously captures message indistinguishability and key-privacy. We then define the selective-id r-m-IND-TAA-CPA security notion for IBE, this being a weakened version of the m-IND-RA-TAA-CCA notion defined above. We then modify the CHK construction from [11] to reflect the setting of multiple users. Finally we show that the IND-IK-CCA security of the public-key encryption scheme built using the (modified) CHK transform follows from the selective-id r-m-IND-TAA-CPA security of the underlying IBE scheme. We note that we do not require recipient anonymity of the IBE scheme to obtain our result. Rather, the security property needed from the IBE scheme is the form TA anonymity which is captured in our selective-id r-m-IND-TAA-CPA security notion. In section 7.1 we will prove that a multi-TA version of Gentry’s IBE scheme meets the stronger m-IND-RA-TAA-CPA security notion. This is sufficient

282

K.G. Paterson and S. Srinivasan

for the application of our result. Instantiating the CHK transform with the multiTA Gentry scheme and any strongly secure one-time signature scheme will give us a concrete construction of a key-private and IND-CCA secure PKE scheme. 6.1

IND-IK-CCA Security for PKE

Bellare et al. [2] define two notions, IK-CPA and IK-CCA security, that capture the notions of key-privacy under chosen plaintext attacks and chosen ciphertext attacks, respectively. For our purposes, we define a combined security notion which simultaneously captures both message indistinguishability and keyprivacy. We term this IND-IK-CCA security. IND-IK-CCA-b(k) Experiment ExpA $

I ← CommonSetup(1k ) $

(PK 0 , SK 0 ) ← KeyGen(I) $

(PK 1 , SK 1 ) ← KeyGen(I) CSet SK 0 ← ∅, CSet SK 1 ← ∅ (m 0 , m 1 , state) ← ADec (find, PK 0 , PK 1 ) c∗ ← Enc(PK b , m b ) b ← ADec (guess, c∗ , state ) If |m 0 | = |m 1 | or m 0 = m 1 then Return 0 If c∗ ∈ / CSet SK 0 and c∗ ∈ / CSet SK 1 then Return b else Return 0

6.2

Oracle Dec(PK b , c) CSet SK b ← CSet SK b ∪ {c} m ← Dec(SK b , c) Return m

Security for Multi-TA IBE

We define the selective-id r-m-IND-TAA-CPA security notion for multi-TA IBE. A single identity is used in the challenge phase in this model, i.e. id 0 = id 1 . Furthermore, the adversary commits to this identity at the start of the game. The adversary is not allowed to make decryption or Corrupt queries. s-id r-m-IND-TAA-CPA-b(k) Experiment ExpA ∗ k id ← A(1 ) params ← CommonSetup(1k ) TASet ← ∅ ∀ta ∈ T , (mpk ta , msk ta ) ← TASetup(params), IDSet ta ← ∅ (ta 0 , ta 1 , m 0 , m 1 , state ) ← AKeyDer (find, MPK ) ∗ c ← Enc(mpk ta b , id ∗ , m b ) b ← AKeyDer (guess, c∗ , state )

If {m 0 , m 1 }  MsgSp or |m 0 | = |m 1 | or m 0 = m 1 then Return 0 If ta0 = ta1 then Return 0 If ta 0 ∈ / TASet , ta 1 ∈ / TASet , id ∗ ∈ / IDSet ta 0 , ∗ id ∈ / IDSet ta 1 then Return b else Return 0

Oracle KeyDer(ta, id ) IDSet ta ← IDSet ta ∪ {id } usk id ,ta ← KeyDer(msk ta , id) Return usk id ,ta

Building Key-Private Public-Key Encryption Schemes

6.3

283

The Modified CHK Transform

Let Π  = {CommonSetup , TASetup, KeyDer, Enc , Dec } be a multi-TA IBE scheme for identities of length n. Let Sig = {Gen, Sgn, Vrfy} be a one-time signature scheme in which the verification keys output by Gen have length n. Define Π = {CommonSetup, KeyGen, Enc, Dec} as follows – CommonSetup: Runs CommonSetup to obtain params. – KeyGen: Runs TASetup to obtain mpk , msk . The public-key is PK = mpk (PK includes params, as mpk by definition includes params) and the secret key is SK = msk . – Enc: To encrypt a message m using public-key PK , the sender first runs Gen to obtain a verification key vk and the corresponding signing key sk (with |vk | = n). Then, the sender computes c = Enc(PK , m) = Enc (mpk , vk , m) (i.e. the sender encrypts the message m with respect to identity vk for recipient with public-key PK = mpk ) and σ = Sgn(sk , c). The final ciphertext is (vk , c, σ). – Dec: To decrypt (vk , c, σ) using the secret key msk , the recipient first checks ?

whether Vrfy(vk , c, σ) = 1. If not, the receiver outputs ⊥. Otherwise, the receiver computes usk vk = KeyDer(msk , vk ) and outputs m = Dec(SK , c) = Dec (mpk , usk vk , c). Theorem 1. If Π  is an IBE scheme which is selective-id r-m-IND-TAA-CPA secure and Sig is a strongly secure one-time signature scheme, then Π is an IND-IK-CCA secure PKE scheme. Proof. Our proof follows closely the proof of [11] with suitable modifications to reflect the setting of multiple users. In the following, expressions of the form PrA,S [Event] denote the probability that an Event occurs when an adversary A interacts with a scheme S in a specified security game. Let A be an IND-IK-CCA adversary against Π. We say a ciphertext (vk , c, σ) is valid if Vrfy(vk , c, σ) = 1. Let (vk ∗ , c∗ , σ ∗ ) denote the challenge ciphertext received by A during a particular run of the experiment and let Forge denote the event that A submits a valid ciphertext (vk ∗ , c, σ) to its decryption oracle. Claim 1: PrA,Π [Forge] is negligible. Proof of Claim 1: A is an IND-IK-CCA adversary against the PKE scheme Π. We use A to construct an adversary F that forges a signature with respect to the one-time signature scheme Sig , with probability PrA,Π [Forge]. F is given a verification key vk . F first runs KeyGen to obtain (PK 0 , SK 0 ) and (PK 1 , SK 1 ). It gives A the two public-keys PK 0 and PK 1 . Note that F can answer any decryption queries of A. If A happens to submit a valid ciphertext (vk ∗ , c, σ) to its decryption oracle before requesting the challenge ciphertext then F simply outputs the forgery (c, σ) and stops.

284

K.G. Paterson and S. Srinivasan

Otherwise, when A outputs messages m0 and m1 , it chooses a random bit b and computes c∗ = Enc (mpk b , vk ∗ , mb ) and obtains from its signing oracle a signature σ ∗ on the message c∗ , i.e. σ ∗ = Sgn(sk , c∗ ) where sk is the signing key corresponding to vk . F gives A the challenge ciphertext (vk ∗ , c∗ , σ ∗ ) Subsequently, if A submits a valid ciphertext (vk ∗ , c, σ) to its decryption oracle, (note that we must have (c, σ)  = (c∗ , σ ∗ )) F simply outputs (c, σ) as its forgery. It is easy to see that F ’s success probability is exactly PrA,Π [Forge]. Claim 2: | PrA,Π [Succ ∧ Forge] +

1 2

PrA,Π [Forge] − 12 | is negligible.

Proof of Claim 2: We now use A to construct a selective-id r-m-IND-TAACPA attacker B against the IBE scheme Π  . Adversary B acts as a Challenger for A as follows. B runs Gen(1k ) to obtain (sk ∗ , vk ∗ ) and outputs a target identity id ∗ = vk ∗ to its Challenger C. C gives B MPK , the set of all master public-keys in the multi-TA IBE scheme. Adversary B gives A the two public-keys PK 0 = mpk ta0 and PK 1 = mpk ta1 . A is a IND-IK-CCA attacker against the public-key scheme. When A makes decryption queries on ciphertexts of the form (vk , c, σ), it specifies whether it wants the decryption corresponding to PK 0 or PK 1 . B answers decryption queries as follows. – If vk = vk ∗ then B checks whether Vrfy(vk ∗ , c, σ) = 1. In this case, B does not know the corresponding IBE secret key corresponding to the identity vk ∗ and it is not allowed to make this query to its Challenger C. Consequently, B aborts and outputs a random bit. If Vrfy(vk ∗ , c, σ)  = 1 then B responds with ⊥. – If vk  = vk ∗ and Vrfy(vk , c, σ)  = 1 then B responds with ⊥. – If vk  = vk ∗ and Vrfy(vk , c, σ) = 1 then B, • Makes the oracle query KeyDer(ta i , vk ) where PK i is specified in the challenge query and obtains usk vk ,ta i . • Computes m = Dec (mpk ta i , usk vk ,ta i , c) and responds with m. At some point during the simulation A outputs two equal length messages m 0 and m 1 . B forwards (ta 0 , m 0 ) and (ta 1 , m 1 ) to its Challenger. B is given the challenge ciphertext c∗ = Enc (mpk tab , id ∗ , mb ). B computes σ ∗ = Sgn(sk ∗ , c∗ ) and gives A (vk ∗ , c∗ , σ ∗ ). A continues to make decryption oracle queries which are answered by B as before. Finally A outputs a guess b and this same guess is output by B and B wins if b = b. We note that B provides a perfect simulation for A as well as a legal strategy for attacking the IBE scheme. In particular it never requests the secret key corresponding to the target identity vk ∗ for either of the target TAs. Therefore we have | PrB,Π  [Succ] − 12 | = | PrA,Π [Succ ∧ Forge] +

1 2

· PrA,Π [Forge] − 12 |.

Building Key-Private Public-Key Encryption Schemes

285

Claim 2 then follows as we know the left hand side of the above equation is negligible by the assumed security of the IBE scheme. Finally, we have | PrA,Π [Succ] − 12 | ≤ | PrA,Π [Succ ∧ Forge] − 12 · PrA,Π [Forge]| +| PrA,Π [Succ ∧ Forge] + 12 PrA,Π [Forge] − 12 | ≤ 12 · PrA,Π [Forge] + | PrA,Π [Succ ∧ Forge] + 12 PrA,Π [Forge] − 12 |. The proof of the result follows from the proofs of claims 1 and 2.

7

Anonymity of Standard Model IBE Schemes

To obtain a standard-model-secure key-private PKE scheme by applying the CHK transform, we need a multi-TA IBE scheme that is suitably TA anonymous under chosen plaintext attacks, in the standard model. While the TA anonymity of multi-TA versions of some popular IBE schemes in the Random Oracle Model has been previously studied in [21], the TA anonymity of multi-TA versions of standard model IBE schemes has not as yet been investigated. A multi-TA version of the BB1 IBE scheme from [5] can be sketched similar to the multi-TA version of Gentry’s IBE scheme in section 7.1 We can easily show that such a multi-TA BB1 scheme is not TA anonymous. Let us consider an adversary that requests the encryption of a message m to identity id in either ta 0 or ta 1 , in its challenge. The challenge ciphertext it receives is of the form: c∗ = (ˆ e(g1 , g2 )s · m, g s , F (id )s ) = (A, B, C). Since params ta 0 = (params, g1 , g2 , eˆ(g1 , g2 ), h, F ) and params ta 1 = (params, g1 , g2 , eˆ(g1 , g2 ), h , F  ) the adversary simply checks if eˆ(B, g1 id · h) = eˆ(C, g)

or

eˆ(B, g1

id

· h ) = eˆ(C, g)

to find, with overwhelming probability, which TA’s parameters were used. Multi-TA analogues of schemes related to the BB1 scheme, such as those of Waters [24] and Naccache [19], as well as the multi-TA analogue of the BB2 scheme [5], are also not TA anonymous for similar reasons. The original scheme by Gentry [15] is recipient anonymous and we now show that a multi-TA version of this scheme is TA anonymous.

286

7.1

K.G. Paterson and S. Srinivasan

Multi-TA Gentry

We first sketch a multi-TA version of Gentry’s IBE scheme. We assume identities are elements in Z∗p and messages are elements in GT . Later, we will need identities that are bit-strings of a fixed length; such identities can easily and securely be converted into elements of Z∗p by applying a suitable collision-resistant hash function. KeyDer(ta, id): – Pick rid ← Z∗p . – Output usk ta ,id = (rid , hid ) $

CommonSetup(1k ): – (G, GT , e, p, g) ← PairingGen(1k ). – Output params = (G, GT , e, p, g). TASetup(params):

1

where hid = (h · g −rid ) α−id . Enc(ta, id, m):

– Pick α ← Z∗p . Set g1 = g α . $

$

– Pick h ← G. – Define function F : Z∗p → G st F (x) = g1 · g −x . – Set mpk = (params, g1 , h, e(g, g), e(g, h), F ). – Set msk = α. – Output (mpk , msk ).

– Pick s ← Z∗p . – Output c = (F (id)s , e(g, g)s , e(g, h)−s · m). $

Dec(ta, id, c): – Parse c as (u, v, w). – Parse usk ta ,id as (d0 , d1 ). – Output m = w · e(u, hid )v rid .

The Multi-TA Gentry scheme. Anonymity of Multi-TA Gentry: We will first show that the multi-TA version of Gentry’s IBE scheme meets the r-m-IND-RA-TAA-CPA security notion under the q-TDABDHE assumption. This gives us a reduction that has tightness similar to the original single-TA scheme. Our proof follows closely the proof of [15] with suitable modifications to reflect the multi-TA setting. Theorem 2. Let q = qid + 1 where qid is the maximum number of private key extraction queries allowed by the adversary per TA. Assume the (t, , q)TDABDHE assumption holds in (G, GT ). Then, the above multi-TA IBE scheme is (t ,  , qid ) r-m-IND-RA-TAA-CPA secure for t = t − O(texp · n · q 2 ) and  =  + (4/p) where texp is the time required to exponentiate in G. Proof. The proof is given in the appendix. The above proof can be modified slightly to enable B to respond to Corrupt queries as well, thereby giving us a proof of security for the m-IND-RA-TAACPA security for the multi-TA version of Gentry’s IBE scheme, under the same assumptions:

Building Key-Private Public-Key Encryption Schemes

287

Theorem 3. Let q = qid + 1 where qid is the maximum number of private key extraction queries allowed by the adversary per TA. Assume the (t, , q)TDABDHE assumption holds in (G, GT ). Then, the above multi-TA IBE scheme is (t ,  , qid ) m-IND-RA-TAA-CPA secure for t = t − O(texp · n · q 2 ) and n   = ( + (4/p)) · 2 where texp is the time required to exponentiate in G. Proof. B simply generates two related q-TDABDHE challenges from the original input challenge and uses these to respond to private key extraction queries for two specific TAs indexed by ta x , ta y ∈ T . It cannot respond to Corrupt queries on these two TAs and the success of the proof relies on A choosing these two TAs in its Challenge query (thereby reducing the tightness of the reduction). For all other TAs {ta i ∈ T : i  = x, i  = y}, B simply generates the master public-keys and master secret keys itself and can therefore respond to private key extraction and Corrupt queries on these TAs. Further details are similar to the proof of Theorem 2. Final Observations: The multi-TA version of Gentry’s IBE scheme that we have given meets stronger notions of security than those required for the application of Theorem 1. We can therefore instantiate the modified CHK transform with the multi-TA version of Gentry’s IBE scheme (and any strongly secure onetime signature scheme) to obtain an IND-IK-CCA PKE scheme. This scheme is quite efficient. Ciphertexts consist of 3 group elements plus a signature and a verification key from the one-time signature scheme. Encryption and decryption cost roughly the same as encryption and decryption in Gentry’s scheme, with the additional requirement of generating or verifying one-time signatures.

8

Conclusion and Future Work

We have shown that the key-privacy of the PKE scheme resulting from the application of the CHK transform follows from the TA anonymity of the underlying IBE scheme, giving us the first generic method to construct a key-private PKE scheme. We have investigated various IBE schemes in the standard model and shown that a multi-TA version of Gentry’s IBE scheme meets the notion of TA anonymity. We have also constructed a key-private PKE scheme by instantiating the CHK transform with the multi-TA version of Gentry’s IBE scheme. We believe that the relatively new notion of TA anonymity in the setting of multiple TAs has rather subtle cryptographic implications on schemes that use IBE as a building block, but these have not been studied rigorously. For example, Holt [16] also considered security of IBE in the multi-TA setting, motivated by earlier work on anonymous credential systems [17,9]. However, the TA anonymity requirements for these applications are yet to be formally investigated.

Acknowledgements This research was sponsored in part by the US Army Research Laboratory and the UK Ministry of Defence and was accomplished under Agreement Number

288

K.G. Paterson and S. Srinivasan

W911NF-06-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the US Army Research Laboratory, the US Government, the UK Ministry of Defense, or the UK Government. The US and UK Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. The second author is supported by a Dorothy Hodgkin Postgraduate Award, funded by EPSRC and Vodafone and administered by Royal Holloway, University of London. We are grateful to the anonymous referees for valuable comments and suggestions and Gaven Watson for proofreading parts of this work.

References 1. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., MaloneLee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005) 2. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001) 3. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993) 4. Boklan, K.D., Klagsbrun, Z., Paterson, K.G., Srinivasan, S.: Flexible and Secure Communications in an Identity-Based Coalition Environment. In: IEEE Military Communications Conference, 2008. MILCOM 2008, pp. 1–6 (2008) 5. Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin and Camenisch [10], pp. 223–238 6. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007) 7. Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 8. Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005) 9. Bradshaw, R.W., Holt, J.E., Seamons, K.E.: Concealing complex policies with hidden credentials. In: Atluri, V., Pfitzmann, B., McDaniel, P.D. (eds.) ACM Conference on Computer and Communications Security, pp. 146–157. ACM, New York (2004) 10. Cachin, C., Camenisch, J.L. (eds.): EUROCRYPT 2004. LNCS, vol. 3027. Springer, Heidelberg (2004) 11. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin and Camenisch [10], pp. 207–222 12. Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001)

Building Key-Private Public-Key Encryption Schemes

289

13. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk [18], pp. 13–25 14. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Cryptology ePrint Archive, Report 2006/165 (2006), http://eprint.iacr.org/ 15. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 16. Holt, J.E.: Key privacy for identity based encryption. Cryptology ePrint Archive, Report 2006/120 (2006), http://eprint.iacr.org/ 17. Holt, J.E., Bradshaw, R.W., Seamons, K.E., Orman, H.K.: Hidden credentials. In: Jajodia, S., Samarati, P., Syverson, P.F. (eds.) WPES, pp. 1–8. ACM Press, New York (2003) 18. Krawczyk, H. (ed.): CRYPTO 1998. LNCS, vol. 1462. Springer, Heidelberg (1998) 19. Naccache, D.: Secure and practical identity-based encryption. Information Security, IET 1(2), 59–64 (2007) 20. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437. ACM Press, New York (1990) 21. Paterson, K.G., Srinivasan, S.: Security and anonymity of identity-based encryption with multiple trusted authorities. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 354–375. Springer, Heidelberg (2008) 22. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Sympoium on Cryptography and Information Security, Okinawa, Japan, January 2000, pp. 26–28 (2000) 23. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 24. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)

Appendix Proof of Theorem 2 Proof. Let A be an adversary that (t ,  , qid ) breaks the r-m-IND-RA-TAA-CPA security of the multi-TA Gentry IBE scheme described. Here qid is the maximum number of private key extraction queries allowed by the adversary per TA. We construct an algorithm B that solves the q-TDABDHE problem, as follows.  B takes as input a random q-TDABDHE challenge (g  , gq+2 , g1 , g2 , . . . , gq , Z)  where Z is either e(gq+1 , g ) or a random element of GT and the expected addii tional inputs (G, GT , e, p, g). (Recall that gi = g (α ) .) Algorithm B proceeds as follows. For an n TA system, T = {ta i : 1 ≤ i ≤ n} represents the set of (labels of) TAs, where n = n(k) ∈ N. B uses the input challenge to generate n related q-TDABDHE challenges, one for each TA in T . Let CHALi denote the q-TDABDHE corresponding to tai ∈ T . $ For tai ∈ T , B first draws βi ← Z∗p and sets CHALi equal to:  (g  , gq+2

(βi (q+2) )

2

q

, g1 (βi ) , g2 (βi ) , . . . , gq (βi ) , Z (βi

(q+1)

)

)

290

or

K.G. Paterson and S. Srinivasan

(g  , g 

((αβi )q+2 )

2

q

, g ((αβi )) , g ((αβi ) ) , . . . , g ((αβi ) ) , Z (βi

(q+1)

)

).

We make a few important observations. Firstly, note that if Z = e(gq+1 , g  ) (q+1) ) then Z (βi is the correct response for the corresponding input challenge CHALi . That is, if the original input q-TDABDHE challenge is drawn from PABDHE , then so are all the CHALi s. Similarly, if Z is random in GT then (q+1) ) so is Z (βi , i.e. if the original challenge is drawn from RABDHE then so are all the CHALi s. Secondly, we note that the g  value is the same in all the n “related” challenges. This does not present a problem as g  is used only once to construct the challenge ciphertext. – CommonSetup: B sets params equal to (G, GT , e, p, g). – Setup: For each ta i ∈ T , B generates a random polynomial fi (x) ∈ Zp [x] of 2 q degree q. It sets hi = g fi (αβi ) , computing hi from g, g1 (βi ) , g2 (βi ) , . . . , gq (βi ) . (βi ) It sets the public-key for tai to mpk i = (params, g1 , hi , e(g, g), e(g, hi), Fi ) where Fi : Z∗p → G is such that Fi (x) = g1 βi · g −x and sends all the n master public-keys to A. Since g, α are uniformly random, the βi values and the polynomials fi (x) are chosen uniformly at random, the g1 (βi ) and hi values are also uniformly random. Therefore the master public-keys have a distribution identical to that in an actual construction. (At this stage, we have essentially succeeded in using the single q-TDABDHE challenge to set up n independent TAs.) – Phase 1: A makes key generation queries on (ta, id ). B responds to a query on ta = ta i ∈ T and id ∈ Z∗p as follows. B checks if g id = g αβj in each CHAL . If the equality holds, this implies that j

id = αβj and B uses αβj to solve the q-TDABDHE challenge immediately by computing the target response to the challenge itself. Else, let Fid,i (x) denote the q − 1 degree polynomial Fid,i (x) = (fi (x) − fi (id))/(x − id).

B sets the private key for id in ta i to (rid,i , hid,i ) = (fi (id), g Fid,i (αβi ) ). This is a valid private key since g Fid,i (αβi ) = (hi · g −fi (id) )1/(αβi −id) . – Challenge: A outputs TAs ta 0 , ta 1 (which correspond to ta x and ta y ∈ T respectively), identities id 0 , id 1 and messages m 0 , m 1 . Again, as in phase 1, B checks if either of g id 0 or g id 1 is equal to g αβj in each CHALj . If the equality holds, this implies that one of id 0 or id 1 is equal to αβj and B uses αβj to solve the q-TDABDHE challenge immediately by computing the target response to the challenge itself. Else, B generates a bit b ∈ {0, 1} and computes a private key didb ,x = (ridb ,x , hidb ,x ) for id b in ta x if b = 0 or didb ,y = (ridb ,y , hidb ,y ) for id b in ta y if b = 1 as in Phase 1.

Building Key-Private Public-Key Encryption Schemes

291

Now, let g2 (x) = x(q+2) and F2,idb (x) = (g2 (x) − g2 (idb ))/(x − idb ) which is a (q + 1) degree polynomial. Then F2,idb (x) can be written as F2,idb (x) =

q+1 

F2,idb ,i · xi = xq+1 +

i=0

q 

F2,idb ,i · xi

i=0 i

where F2,idb ,i is the coefficient of x in F2,idb (x). B sets the ciphertext c = (u, v, w) as follows. In the following β = βx corresponding to ta x if b = 0 or β = βy corresponding to ta y if b = 1. q i (q+1) (g (αβ)−g2 (idb )) ) B sets u = g  2 , v = Z (β · e(g  , i=0 g F2,idb ,i ·(αβ) ) and w = m 0 /(ˆ e(u, hid0 ,x ) · v rid0 ,x ) if b = 0 and w = m 1 /(ˆ e(u, hid1 ,y ) · v rid1 ,y ) if b = 1. To see that c = (u, v, w) is a valid and appropriately distributed ciphertext when Z = e(gq+1 , g  ), first let s = logg (g  ) · F2,idb (αβ). Note that s is uniformly random as logg (g  ) is uniformly random and the βi values are chosen uniformly at random. We will show that c is constructed using “implicit” randomness s. Now g  = g s/(F2,idb (αβ)) = g (s(αβ−idb ))/(g2 (αβ)−g2 (idb )) . Therefore, u = g s(αβ−idb ) . If Z is a random element in GT then v is random in GT . On the other hand, if Z = e(gq+1 , g  ), then v = e(g, g)s since it can be shown that e(g  ,

q 

g F2,idb ,i ·(αβ) ) = e(g  , g F2,idb (αβ)−(αβ) i

q+1

)

i=0

and therefore, it can be shown that v = Z (β

(q+1)

)

· e(g  ,

q 

i

g F2,idb ,i (αβ) ) = e(g, g)s .

i=0

Finally, note that for any private key didb ,i = (ridb ,i , hidb ,i ) corresponding to ta i ∈ T , it can be shown that e(u, hidb ,i ) · v ridb ,i = e(g, hi )s . Therefore, w = m b · e(g, hx )−s if b = 0 and w = m b · e(g, hy )−s if b = 1. – Phase 2: A continues to make key extraction queries and B responds as in Phase 1. – Guess: Finally, the adversary outputs a guess b ∈ {0, 1}. If b = b then B outputs 0 indicating that Z = e(gq+1 , g  ); otherwise, it outputs 1. We have already shown that the public-keys and ciphertexts are appropriately distributed. We now show that the private keys issued by B are appropriately distributed as well. If Ii denotes the set consisting of αβi , id b and all the identities queried by A for tai then |Ii | ≤ (q + 1). Then, from A’s view the values {fi (a) : a ∈ I} are uniformly random and independent and this follows from the fact that fi (x) is a uniformly random polynomial of degree q.

292

K.G. Paterson and S. Srinivasan

Probability Analysis: As we have already seen, if Z = e(g(q+1) , g  ), then the simulation is perfect and A will guess the bit b with probability (1/2) +  . On the other hand, if Z is a random element in GT then, u, v are uniformly random and independent elements in G, GT respectively. It remains to reason about w. Now, w = m b /(ˆ e(u, hidb ,i ) · v ridb ,i ) where i is x or y corresponding to ta x or ta y . The value in the denominator can be expressed as follows: e(u, hidb ,i ) · v ridb ,i = e(u, hi )1/(αβi −idb ) · (v/e(u, g)1/(αβi −idb ) )fi (idb ) . Now fi (idb ) is independent of A’s view. Therefore as long as the inequalities v  = e(u, g)1/(αβx −id0 ) , v  = e(u, g)1/(αβx −id1 ) and v  = e(u, g)1/(αβy −id0 ) , v  = 1/(αβy −id1 ) e(u, g) hold (and they hold with probability (1 − 4/p)), the value e(u, hidb ,i ) · v ridb ,i is random and independent of A’s view. Consequently the value w is random and independent of A’s view. This implies that if Z is a random element then (u, v, w) can impart no information regarding the bit b. Assuming that no queried identity equals αβj such that g αβj is in one of the challenges CHALj , (which would only increase B’s success probability), we can see that:      , g1 , g2 , . . . , gq , e(g(q+1) , g  ), Z) = 1) − 1/2 ≤ (4/p) Pr(B(g  , g(q+2)  when (g  , g(q+2) , g1 , g2 , . . . , gq , e(g(q+1) , g  ), Z) is sampled from RABDHE . However,      , g1 , g2 , . . . , gq , e(g(q+1) , g  ), Z) = 1) − 1/2 ≥  Pr(B(g  , g(q+2)  when (g  , g(q+2) , g1 , g2 , . . . , gq , e(g(q+1) , g  ), Z) is sampled from PABDHE . Thus, for uniformly random g, g  , α, Z we have:  | Pr(B(g  , g(l+2) , g1 , g2 , . . . , gl , e(g(l+1) , g  ))  − Pr(A(g  , g(l+2) , g1 , g2 , . . . , gl , Z)| ≥  − (4/p).

Time-Complexity: In the simulation, B’s overhead is dominated by computing g Fid,i (αβi ) in response to A’s key generation query on identity id for ta i ∈ T , where Fid,i (x) is a polynomial of degree (q − 1). Each such computation requires O(q) exponentiations in G. Since A makes at most (q − 1) such queries for each TA, t = t + O(texp · n · q 2 ).

Multi-recipient Public-Key Encryption from Simulators in Security Proofs Harunaga Hiwatari1 , Keisuke Tanaka2 , Tomoyuki Asano1 , and Koichi Sakumoto1 1

2

Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo, 108-0075, Japan {Harunaga.Hiwatari,Tomoyuki.Asano,Koichi.Sakumoto}@jp.sony.com Dept. of Mathematical and Computing Sciences, Tokyo Institute of Technology 2-12-1 Ookayama, Meguro-ku, Tokyo 152-8552, Japan [email protected]

Abstract. In PKC 2003, Bellare, Boldyreva, and Staddon proposed the reproducibility test. The test determines whether a single-recipient public-key encryption scheme is adapted to transform into an efficient multi-recipient public-key encryption scheme. In this paper, we propose a new approach to design an efficient multi-recipient single-message publickey encryption scheme. We focus on a certain simulator which appears in the security proof of an ordinary (single-recipient) public-key encryption scheme. By considering the behavior of the simulator, we construct two efficient multi-recipient single-message public-key encryption schemes. These schemes show that there exist schemes which can be transformed into efficient multi-recipient schemes, even they do not pass the reproducibility test. Keywords: public-key encryption, multi-recipient, broadcast encryption, simulator, IND-CCA.

1 1.1

Introduction Background

Multi-recipient public-key encryption (PKE) is a technology to encrypt messages for several recipients. Suppose that there are n recipients. In a trivial multi-recipient PKE scheme, a ciphertext consists of n independently encrypted messages by an ordinary (single-recipient) PKE scheme. However, this trivial scheme requires n times of the encryption cost and the ciphertext length of the underlying single-recipient PKE scheme. In [13], Kurosawa constructed more efficient schemes from specific single-recipient PKE schemes by reusing the randomness across the single-recipient PKE algorithms with the distinct public keys of the recipients. This randomness-reuse technique produces efficient multirecipient PKE schemes, however, may weaken the security. In order to provide a generic construction of secure and efficient multi-recipient PKE schemes from single-recipient ones, Bellare, Boldyreva, and Staddon [2] introduced the notion of reproducibility. This notion is used to determine whether C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 293–308, 2009. c Springer-Verlag Berlin Heidelberg 2009 

294

H. Hiwatari et al.

the randomness-reuse technique for the single-recipient PKE scheme maintains the security of the multi-recipient PKE scheme. In [2,13], they also proposed multi-recipient single-message PKE schemes which allow a sender to broadcast a single message for all recipients. They constructed these schemes as hybrid versions. In [15], Smart proposed the MKEM/DEM framework as a multiple-recipient version of the KEM/DEM framework. He divided a multi-recipient single-message hybrid encryption scheme into a multi-recipient key encapsulation mechanism (MKEM) and a data encapsulation mechanism (DEM). An MKEM is used to encrypt a single session key for multiple recipients. In [2,13,15], they also proposed the MKEMs by using the same structure such that: 1. Generate a single session key at random. 2. Encrypt the session key by using a multi-recipient single-message PKE scheme. 3. Output the session key and the ciphertext of it. In the above structure, they require a multi-recipient single-message PKE scheme. It is the difference between a PKE and a KEM whether the encrypted data is a message chosen by sender or a random string. In general, a KEM is more efficient than a PKE scheme. If an MKEM can be constructed without using a multi-recipient single-message PKE scheme, one might design a more efficient MKEM. Two different techniques which realize such MKEMs were proposed in [1,10,16]. pk1, ..., pkn ...

pk1 MKEM KEM

φ1

dk

DEM

...

KEM

...

dk1 PRNG

pkn

χ1

...

φn

dkn dk

DEM

χn

dk

Fig. 1. The structure of the MKEM proposed in [16]

In [16], Yasuda, Kobayashi, Aoki, Fujisaki, and Fujioka proposed a generic transformation from KEMs and DEMs into an MKEM. We describe the structure of the MKEM in Fig. 1 and the procedure as follows: 1. Generate a single session key dk at random. 2. Generate multiple intermediate keys (dk1 , dk2 , . . . , dkn ) and their ciphertexts (φ1 , φ2 , . . . , φn ) by invoking a KEM multiple times with distinct user’s public keys (pk1 , pk2 . . . , pkn ).

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

295

3. Encrypt the session key dk by using a DEM with intermediate key dki for each i ∈ {1, . . . , n}. 4. Output the session key dk, the multiple ciphertexts of the session key (χ1 , χ2 , . . . , χn ), and the ciphertexts of the intermediate keys (φ1 , φ2 , . . . , φn ). In general, a KEM does not guarantee to generate a same session key with distinct public keys. Their idea is to encrypt a single session key with distinct intermediate keys of the users by using a DEM. This technique can be applied to any KEM. If we apply the conversion to the Kurosawa-Desmedt scheme [14], we can obtain an efficient MKEM. However, a DEM is invoked multiple times in the resulting scheme. They proved its security by using the hybrid argument, and the reduction efficiency of the security proof becomes lower in proportion to the number of the recipients. In [1], Barbosa and Farshim proposed a KEM. The proposed KEM can guarantee to generate the same session key when using the same random coin with distinct public keys. This property allows us to convert the KEMs into the MKEMs without using a DEM. We describe the structure of MKEM in Fig. 2 and the procedure as follows: 1. Using the randomness-reuse technique, generate a session key dk and ciphertexts (φ1 , φ2 , . . . , φn ) by invoking a KEM multiple times with distinct user’s public keys (pk1 , pk2 . . . , pkn ). Note that although we do not explicitly state for illustrative purposes, one can batch the same computation and ciphertext by using the randomness-reuse technique. 2. Output the session key dk and the multiple ciphertexts of the session key (φ1 , φ2 , . . . , φn ). Since the MKEM consists of a KEM without a DEM, one may prove the security of the MKEM without using the hybrid argument. Therefore, the reduction efficiency of the security proof may be tight. However, proving the security of the proposed KEM in [1] remains as an open problem.

pk1, ..., pkn ...

pk1 MKEM KEM dk

φ1

... ...

pkn KEM dk

... dk

Fig. 2. The structure of the MKEM proposed in [1]

φn

296

H. Hiwatari et al.

In [10], Hofheinz and Kiltz proposed a provable secure and more efficient KEM which has the above property. Both of the proposed schemes in [1] and [10] were designed by modifying specific single-recipient KEMs. 1.2

Our Contribution

We propose a new approach to design efficient MKEMs which have the structure described in Fig. 2. We focus on a certain simulator which appears in the security proof of a single-recipient PKE scheme. By observing the behavior of the simulator, we construct two efficient MKEMs based on the schemes proposed in [5] and [9], respectively. The proposed scheme based on [5] is the most efficient scheme among the MKEMs which are secure against chosen-ciphertext attacks under the hashed decisional Diffie-Hellman (HDDH) assumption without MAC. The other proposed scheme based on [9] is one of the most efficient schemes among the MKEMs whose reduction efficiency of the security proof is tight, and which is secure against constrained chosen-ciphertext attacks introduced in [11] under the HDDH assumption. Our constructions show that there exist single-recipient PKE schemes which can be transformed into efficient multi-recipient schemes, even they do not pass the reproducibility test. 1.3

Relation to Broadcast Encryption

MKEM is related to a previously proposed primitive called public-key broadcast encryption [3]. This primitive requires the key generation center to generate public/secret key pairs of all users at the setup phase. In MKEM, each user generates its own public/secret key pair by themselves. Therefore, users can join the system any time without help of the third party. On the other hand, in many broadcast encryption schemes, the number of users must be fixed at the setup phase. There are only few schemes with the dynamic join property, e.g., recently proposed scheme in [8]. Even in these schemes, users must require the key generation center to generate their own key pairs when they join the system. 1.4

Organization

The organization of this paper is as follows. In Section 2, we review some definitions. In Section 3, we propose a new approach to design efficient MKEMs. In Section 4 and 5, we construct new schemes. We conclude in Section 6.

2 2.1

Preliminaries Hashed Decisional Diffie-Hellman Assumption

In this section, we review the definition of the hashed decisional Diffie-Hellman (HDDH) assumption.

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

297

Let G be an abelian group of order p, where p is a large prime, and let h : G → D be a function. Definition 1. For a probabilistic polynomial-time algorithm A that outputs a single bit, we define Advhddh,A to be |

Pr

g∈R G,x,y∈R Zp

−

[A(g, g x , g y , h(g xy )) = 1] Pr

g∈R G,x,y∈R Zp ,Z∈R D

[A(g, g x , g y , Z) = 1]|.

The hashed decisional Diffie-Hellman (HDDH) assumption is that, for any A, Advhddh,A is at most hddh as a negligible function of the security parameter. If h is the identity function from G to G, the above assumption is identical to the HDDH assumption. It is known that the HDDH assumption is not stronger than the DDH assumption. 2.2

Target Collision Resistant Hash Function

In this section, we review the definition of the target collision resistant hash function. Definition 2. For a probabilistic polynomial-time algorithm A, we define Advtcr,A to be Pr [A(x, h) = y|h(x) = h(y)] x∈R G,h∈R H

where h ∈ H is a hash function and G is a domain of this function. H is target collision resistant family of hash functions if for any A, Advtcr,A is at most tcr as a negligible function of the security parameter. 2.3

Key Encapsulation Mechanisms

In this section, we review the KEM/DEM framework which is used for construction of secure hybrid encryption schemes [7]. Hybrid encryption schemes are a kind of PKE scheme which use PKE techniques for key distribution and secret-key encryption techniques for message encryption. If we encrypt a message using a hybrid encryption scheme, we take the two steps as follows. 1. Generate a random session key and a ciphertext of it using public key encryption techniques with recipient’s public key. 2. Encrypt the message using symmetric key encryption techniques with the session key which is generated in step 1. Cramer and Shoup showed that these two steps can be separated and security criteria can be defined for each section individually [7]. The first and second steps are known as key encapsulation mechanisms (KEM) and data encapsulation mechanisms (DEM), respectively. The KEMs consist of the following algorithms. Through this paper, we use λ and KD to describe a security parameter and a key space of DEM, respectively.

298

H. Hiwatari et al.

– A probabilistic polynomial-time common-key generation algorithm Gkem , which takes as input a security parameter 1λ , outputs a common key I. For given I, a randomness space R(I) is uniquely determined. – A probabilistic polynomial-time key generation algorithm Kkem , which takes as input a common key I, outputs a public/secret key pair (pk, sk). – A probabilistic polynomial-time encryption algorithm Ekem , which takes as input a common key I and a public key pk, outputs a pair (dk, φ) where dk is a key for DEM and φ is a ciphertext of dk, using a random coin r ∈R R(I). – A deterministic polynomial-time decryption algorithm Dkem , which takes as input a common key I, a secret key sk and a ciphertext φ, outputs a key dk or the special symbol reject. A common-key generation algorithm is usually omitted or included in a key generation algorithm. In this paper, for convenience of explanation, we explicitly describe the common-key generation algorithm. A common key I may include the description of group and hash function. We require that, for any λ ∈ N, if I ← Gkem (1λ ) and (pk, sk) ← Kkem (I), Pr

r∈R R(I)

[dk  = Dkem (sk, φ, I)|(dk, φ) ← Ekem (pk, I; r)] ≤ ,

where  denotes negligible. We review the indistinguishability against chosen ciphertext attacks (INDCCA) for KEM. Definition 3. Let Πkem = (Gkem , Kkem , Ekem , Dkem ) be a KEM and let A be an adversary. For λ ∈ N, we define the advantage of A as ind-cca-0 ind-cca-1 Advind-cca Πkem ,A (λ) = | Pr[ExpΠkem ,A (λ) = 1] − Pr[ExpΠkem ,A (λ) = 1]|

where, for b ∈ {0, 1}, Experiment Expind-cca-b Πkem ,A (λ) I ← Gkem (1λ ); (pk, sk) ← Kkem (I); (dk0 , φ∗ ) ← Ekem (pk, I); dk1 ∈R KD ; b ∈R {0, 1}; d ← AO (dkb , φ∗ , pk, I); return d where O answers Dkem (sk, φ, I), when A queries φ ( = φ∗ ). We say that Πkem is secure in the sense of IND-CCA, if for any A, Advind-cca Πkem ,A (λ) is negligible. 2.4

Multi-recipient KEMs

In this section, we review the definition of MKEMs which are introduced by Smart [15]. A multi-recipient hybrid encryption scheme consists of MKEM and DEM. The MKEMs are defined similarly to KEMs, however, the encryption algorithm takes multiple public keys pk (:= (pk1 , pk2 , . . . , pkn )) as input.

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

299

– A probabilistic polynomial-time common-key generation algorithm Gmkem , which takes as input a security parameter 1λ , outputs a common key I. – A probabilistic polynomial-time key generation algorithm Kmkem , which takes as input a common key I, outputs a public/secret key pair (pk, sk). – A probabilistic polynomial-time encryption algorithm Emkem , which takes as input a common key I and a vector of public keys pk = (pk1 , pk2 , . . . , pkn ), outputs a pair (dk, φ) where dk is a key for DEM and φ is a ciphertext of dk. – A deterministic polynomial-time decryption algorithm Dmkem , which takes as input a common key I, a ciphertext φ, a secret key ski , and an index i which corresponds to the index of pki used in the Emkem algorithm, outputs a key dk or the special symbol reject. We review IND-CCA for MKEM. Definition 4. Let Πmkem = (Gmkem , Kmkem , Emkem , Dmkem ) be a MKEM and let A be an adversary. For λ ∈ N, we define the advantage of A as ind-cca-0 ind-cca-1 Advind-cca Πmkem ,A (λ) = | Pr[ExpΠmkem ,A (λ) = 1] − Pr[ExpΠmkem ,A (λ) = 1]|

where, for b ∈ {0, 1}, Experiment Expind-cca-b Πmkem ,A (λ) I ← Gmkem (1λ ); for i = 1, . . . , n (pki , ski ) ← Kmkem (I); (dk0 , φ∗ ) ← Emkem (pk, I); dk1 ∈R KD ; b ∈R {0, 1}; d ← AO (dkb , φ∗ , pk, I); return d where O is the decryption oracle. It answers Dmkem (i, ski , φ, I), when A queries (i, φ) such that the ciphertext φ does not contain a target ciphertext for user i. We say that Πmkem is secure in the sense of IND-CCA, if for any A, Advind-cca Πmkem ,A (λ) is negligible. 2.5

Constrained Chosen-Ciphertext Security for MKEMs

Hofheinz and Kiltz [11,10] proposed a relaxed security notion of IND-CCA, which is called indistinguishable against constrained chosen ciphertext attacks (INDCCCA). Intuitively, an adversary A is only allowed to make a decryption query when A already has some a priori knowledge about the session key. They denoted the priori knowledge by an efficiently computable boolean predicate pred : KD → {0, 1}. If pred(dk) = 1, then the session key is returned, and ⊥ otherwise. They showed that though IND-CCCA was weaker than IND-CCA, IND-CCCA KEM was sufficient for constructing a secure hybrid encryption scheme if authenticated symmetric encryption scheme was used as a DEM.

300

H. Hiwatari et al.

We can easily extend the above composition theorem for MKEM/DEM framework. The IND-CCCA security for MKEM is defined as follows. Definition 5. Let Πmkem = (Gmkem , Kmkem , Emkem , Dmkem ) be a MKEM and let A be an adversary. For λ ∈ N, we define the advantage of A as ind-ccca-0 Advind-ccca Πmkem ,A (λ) = | Pr[ExpΠmkem ,A (λ) = 1]

− Pr[Expind-ccca-1 Πmkem ,A (λ) = 1]| where, for b ∈ {0, 1}, Experiment Expind-ccca-b Πmkem ,A (λ) I ← Gmkem (1λ ); for i = 1, . . . , n (pki , ski ) ← Kmkem (I); (dk0 , φ∗ ) ← Emkem (pk, I); dk1 ∈R KD ; b ∈R {0, 1}; d ← ACO (dkb , φ∗ , pk, I); return d where CO is the constrained decryption oracle. When A issues a query (i, φ, pred) to CO, if pred(Dmkem (i, ski , φ, I)) = 1, then  the session key is returned, and ⊥ otherwise. We define uncertA = (1/Qd ) 1≤j≤QD Prdk∈R KD [predj (dk) = 1]. The adversary A must control uncertA to be negligible. We say that Πmkem is secure in the sense of IND-CCCA, if for any A, Advind-ccca Πmkem ,A (λ) is negligible.

3

Our Approach for Construction of MKEMs

Bellare, Boldyreva, and Staddon [2] introduced the notion of reproducibility. Intuitively, if a PKE scheme is reproducible, one can convert a ciphertext which is an encryption of message m1 for user ua into another ciphertext which is an encryption of message m2 for user ub without changing a randomness used in these ciphertexts. This notion is used to determine whether the randomness-reuse technique for the single-recipient PKE scheme maintains the security of the multi-recipient PKE scheme. The reproducibility test is useful, however the reduction efficiency of the security proof of the multi-recipient PKE scheme becomes lower in proportion to the number of recipients. They also proposed concrete schemes whose reduction efficiency is tight by using the random self-reducibility of the discrete logarithm problem, however these multi-recipient PKE schemes are not obtained through the reproducibility test. Barbosa and Farshim [1] proposed weakly reproducibility for multi-recipient single-message PKE schemes, by restricting the reproducibility test to be used in the single message setting. They also proposed the direct reproducibility test to construct schemes whose reduction efficiency is tight. However, all of the above

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

301

reproducibility tests are not used to construct efficient MKEMs, since a session key of each user becomes different, even using the randomness-reuse technique. We observe that the above proposed reproducibility tests are designed based on the behavior of a simulator which appears in the security proof of PKE schemes. The simulator runs as follows: 1. Obtain an instance of the problem that the simulator tries to solve (e.g. the DDH instance). 2. Generate public key from the instance as an input to an adversary against the PKE. 3. Construct a target ciphertext from the instance and the public key. In fact, if a scheme passes the test, we can construct another simulator which given a public key, can simulate the environment of an adversary against the multi-recipient scheme. Although the previous results capture the above behavior of the simulator, we consider that they do not capture another type of simulator which uses an algebraic trick from selective-ID secure identity-based encryption. We call such a simulator the sID simulator. It has a feature that it can simulate the decryption oracle without a real secret key. It runs as follows: 1. Obtain an instance. 2. Generate a part of a target ciphertext from the instance. 3. Generate a public key with a witness from the instance and the part of the target ciphertext. 4. Construct an entire target ciphertext. At first, given an instance, the sID simulator generates a part of a target ciphertext. Next, it generates a public key and some witness from the generated part of the target ciphertext and then constructs the entire target ciphertext. It can simulate a decryption oracle by using the witness. Though the witness is not a secret key, it enables the simulator to decrypt almost all of the ciphertexts. This technique is used in the proof of the most recently proposed PKE schemes [5,9,10,12]. Our approach for construction of an efficient MKEM applies the behavior of the sID simulator as key generation and decryption algorithms of KEM. In general, an MKEM can be designed on the basis of a KEM, by sharing a partial public key as a common public key among the users and by using the randomnessreuse technique. Sharing as many parts of public keys as possible for the purpose of batch process results in more efficient MKEMs. However, the users can share only some restricted parts of public keys which do not correspond to any individual secret information of users. We find that the behavior of the sID simulator is useful for the achievement of the above purpose. Recall that in a security proof of PKE schemes, the sID simulator sets a part of an instance of a problem (e.g. the DDH problem) as a part of a public key and generates the entire public key and some witness. It simulates the decryption oracle by using the witness instead of a secret key (e.g. the discrete logarithm of the part of the instance) corresponding to the partial public key.

302

H. Hiwatari et al.

Table 1. The table intuitively shows the relation ship between items used in the sID simulator and the proposed MKEM sID simulator

proposed MKEM

a part of instance public key witness a part of target ciphertext

common key individual public key secret key a part of secret key

behavior of the simulator

MKEM based on the simulator

how to generate a public key with a witness how to simulate the decryption oracle

key generation algorithm decryption algorithm

In the multi-recipient setting, we set the partial public key (of the sID simulator) as a common public key, and generates each user’s individual public key and secret key using the common public key and the witness. Therefore, if users mimic the behavior of the sID simulator, they can decrypt almost all of the ciphertexts by using the secret key. Only the ciphertexts a user can not decrypt are ones using the same random value as selected by the user in the key generation phase, and the probability is 1/p.

4

Our Scheme: Cash-Kiltz-Shoup Variant

In this section, we propose an MKEM based on the KEM [5]. The proposed scheme is the most efficient scheme among the MKEMs which is secure under the HDDH assumption without MAC. We construct the scheme from the behavior of the simulator which appears in the security proof [5]. Gmkem (1λ ): Choose a multiplicative group G with prime order p, a target collision resistant hash function TCR : G → Z∗p , and a hash function h : G → KD . Then, pick two generators g, c1 ∈R G at random and set the common key I := (p, G, g, c1 , T CR, h). Kmkem (I): Pick s, t, w1 , w2 , α ˆ ∈R Zp at random, compute c2 ← g s c−t 1 , d1 ← −α ˆ w1 −α ˆ w2 c1 g , and d2 ← c2 g . Then, set the public key pk := (c2 , d1 , d2 ) and the secret key sk := (s, t, w1 , w2 , α ˆ ). Emkem (pk, I): Pick r ∈R Zp at random and compute u ← g r and α ← TCR(u). Then, parse pk as each user’s public key (pk1 , pk2 , . . . , pkn ), and for i = r 1, 2, . . . , n, parse pki as (c2,i , d1,i , d2,i ) and compute v1,i ← (cα 1 d1,i ) and α r v2,i ← (c2,i d2,i ) for each user. Finally, compute the data key dk ← h(cr1 ) and set the ciphertext φ := (u, v 1 , v 2 ) where v j := (vj,1 , vj,2 , . . . , vj,n ) for j ∈ {1, 2}.

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

303

Dmkem (i, ski , φ, I): Parse φ as (u, v 1 , v 2 ), compute α ← TCR(u), and check ?

whether α = α. ˆ If satisfied, output the special symbol reject. Otherwise ˆ parse v j as (vj,1 , vj,2 , . . . , vj,n ) for j ∈ {1, 2}, compute v˜1 ← (v1,i u−w1 )1/(α−α) ?

ˆ and v˜2 ← (v2,i u−w2 )1/(α−α) , and check whether v˜1t v˜2 = us . If not, output reject. Otherwise, compute the session key dk ← h(˜ v1 ).

Note that the event that reject ← Dkem (i, ski , φ, I) such that (dk, φ) ← Ekem (pk, I) occurs with negligible probability. Firstly, to show the security of above scheme, we review the following lemma which is introduced in [5]. Lemma 1 (Trapdoor Test [5]). Let G be a cyclic group of prime order p, and g be a element in G. Suppose c1 ∈R G and s, t ∈R Zp . We define c2 := g s c−t 1 and denote u, v1 , v2 are elements in G. Then we have: (1) c2 is uniformly distributed over G; (2) c1 and c2 are independent; (3) if c1 = g x1 and c2 = g x2 , then the ? probability that the truth value of v1t v2 = us does not agree with the truth value ?

?

of v1 = ux1 ∧ v2 = ux2 is at most 1/p. Theorem 1. Let G be an abelian group of order p, where p is a large prime, and let TCR be a target collision resistant hash function. Then, the above scheme is secure in the sense of IND-CCA under the HDDH assumption on a hash function h. In particular, for any adversary A which makes at most Qd decryption queries, Advind-cca Πmkem ,A (λ) ≤ tcr + hddh + Qd /p. Proof. We consider a sequence of games. In this proof, Si denotes the event that b = d in Game i and φ = (u∗ , v ∗1 , v ∗2 ) and α∗ denote the target ciphertext and TCR(u∗ ). Game 0. Let Game 0 be the original game. Advind-cca Πmkem ,A (λ) = | Pr[S0 ] − 1/2|. Game 1. Let Game 1 be like Game 0, but with the following difference. If an adversary asks a ciphertext containing u  = u∗ such that TCR(u) = TCR(u∗ ), Game 1 aborts. Using a property of target collision resistant hash functions, it is easy to show that | Pr[S1 ] − Pr[S0 ]| ≤ tcr . Game 2. Let Game 2 be like Game 1, but with the following difference. For computing the secret key, instead of choose α ˆ i at random for i = 1, 2, . . . , n, ∗ the experiment picks r∗ at random, computes u∗ ← g r , and sets αˆi ← α∗ (:= TCR(u∗ )) for all i. Moreover, we modify the decryption oracle. If the adversary asks a ciphertext containing u∗ , then the decryption oracle immediately outputs reject. Using Lemma 1, we show that | Pr[S2 ] − Pr[S1 ]| ≤ Qd /p.

304

H. Hiwatari et al.

Even if α ˆ i is fixed, c2,i , d1,i , and d2,i are uniformly distributed over G. The distribution of public keys in Game 2 is same as that in Game 1. From the view of adversary, for all i, there are many potential secret key corresponding to the given public key. For any potential secret key (w1,i , w2,i , α ˆ i ) except for (·, ·, α∗ ), the decryption algorithm would compute ∗ ∗ v˜1 ← (v1,i (u∗ )−w1,i )1/(α −αˆ i ) and v˜2 ← (v2,i (u∗ )−w2,i )1/(α −αˆ i ) for a ciphertext containing u∗ . If v˜1ti v˜2 = (u∗ )si , Lemma 1 guarantees with overwhelming probability that (u∗ )logg c1 = v˜1 and (u∗ )logg c2,i = v˜2 . (u∗ )logg c1 = v˜1 r ∗ (α∗ −α ˆi )

⇐⇒ c1

∧ ∗

= (v1,i (g −w1,i )r ) ∗

⇐⇒

−α ˆ i w1,i r v1,i = (cα g ) 1 c1

⇐⇒

r v1,i = (cα 1 d1,i )

⇐⇒

∗ v1,i = v1,i

∗

∗

∧ ∗

(u∗ )logg c2,i = v˜2 r ∗ (α∗ −α ˆi)

c2,i

∗

= (v2,i (g −w2,i )r ) ∗

∧

−α ˆ i w2,i r v2,i = (cα ) 2,i c2,i g

∧

r v2,i = (cα 2,i d2,i )

∧

∗ v2,i = v2,i

∗

∗

∗

Therefore, for any potential secret key, the probability that the decryption algorithm does not output reject for a ciphertext containing u∗ queried by an adversary is at most 1/p. Furthermore, we show that | Pr[S2 ] − 1/2| ≤ hddh . We assume that there is an adversary A which breaks Game 2. We construct an algorithm B which solves the HDDH problem using the adversary A. ¯ ¯ For a given HDDH instance (g, g a¯ , g b , Z), B sets u∗ := g a¯ and c1 := g b . The algorithm B slightly changes the key generation algorithm to always ∗ set α ˆ i ← α∗ (:= TCR(u∗ )) for all i. Then, for each i, B computes v1,i ← ∗ w1,i α∗ a ¯ ∗ ∗ w2,i α∗ a ¯ ∗ ∗ (u ) (:= (c1 d1,i ) ) and v2,i ← (u ) (:= (c2,i d2,i ) ) and sets (u , v 1 , v ∗2 ) as a target ciphertext. Next, B provides A with (Z, (u∗ , v ∗1 , v ∗2 )). If A makes decryption query, B simulates the decryption oracle in Game 2 by using secret keys that B generates. Finally, A outputs a bit d as his guess, and B outputs the same bit d. 

5

Our Scheme: Hanaoka-Kurosawa Variant

In this section, we propose an MKEM based on the KEM [9]. The proposed scheme is one of the most efficient schemes among the MKEMs whose reduction efficiency is tight and which is secure under the HDDH assumption. Similar to our scheme based on [5], we construct the scheme from the behavior of the simulator which appears in the security proof [9]. Gmkem (1λ ): Choose a multiplicative group G with prime order p, a target collision resistant hash function TCR : G → Z∗p , and a hash function h : G → KD . Then, pick two generators g, y0 ∈R G at random and set the common key I := (p, G, g, y0 , T CR, h).

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

305

Kmkem (I): Pick s, t, Fs , Ft ∈R Zp at random, define the quadratic polynomial f (x) := a0 +a1 x+a2 x2 over Zp such that (f (0), f (s), f (t)) = (logg y0 , Fs , Ft ), and for i ∈ {1, 2}, compute yi ← g ai without the knowledge of ai . Then, set the public key pk := (y1 , y2 ) and the secret key sk := (s, t, Fs , Ft ). Emkem (pk, I): Pick r ∈R Zp at random and compute u ← g r and α ← TCR(u). Then, parse pk as each user’s public key (pk1 , pk2 , . . . , pkn ), and for i = rα rα2 1, . . . , n, parse pki as (y1,i , y2,i ) and compute vi ← y0r y1,i y2,i (:= ufi (α) ) for r each user. Finally, compute the data key dk ← h(y0 ) and set the ciphertext φ := (u, v1 , v2 , . . . , vn ). Dmkem (i, ski , φ, I): Parse φ as (u, v1 , v2 , . . . , vn ), compute α ← TCR(u), and check whether α ∈ {s, t}. If satisfied, output the special symbol reject. Otherwise, define the quadratic polynomial f  (x) over Zp such that  (f  (α), f  (s), f  (t)) = (logu vi , Fs , Ft ) and compute the data key dk ← h(uf (0) ) by using the Lagrange interpolation method. Theorem 2. Let G be an abelian group of order p, where p is a large prime, and let TCR be a target collision resistant hash function. Then, the above scheme is secure in the sense of IND-CCCA under the HDDH assumption on a hash function h. In particular, for any adversary A which makes at most Qd decryption queries, Advind-ccca Πmkem ,A (λ) ≤ tcr + hddh + uncertA · Qd . The security proof is almost the same proof in [9]. However, unlike the original scheme, invalid ciphertexts only get rejected implicitly using the security properties of DEM in the above proposed scheme. When an adversary sends a query including a part of target ciphertext, the analysis is slightly different from the proof in the original scheme. Proof. We consider a sequence of games. In this proof, Si denotes the event that b = d in Game i and φ = (u∗ , v1∗ , v2∗ , . . . , vn∗ ) and α∗ denote the target ciphertext and TCR(u∗ ). Game 0. Let Game 0 be the original game. Advind-cca Πmkem ,A (λ) = | Pr[S0 ] − 1/2|. Game 1. Let Game 1 be like Game 0, but with the following difference. If an adversary asks a ciphertext containing u  = u∗ such that TCR(u) = TCR(u∗ ), Game 1 aborts. Using a property of target collision resistant hash functions, it is easy to show that | Pr[S1 ] − Pr[S0 ]| ≤ tcr . Game 2. Let Game 2 be like Game 1, but with the following difference. For computing the secret key, instead of choose si at random for i = 1, 2, . . . , n, ∗ the experiment picks r∗ at random, computes u∗ ← g r , and sets si ←

306

H. Hiwatari et al.

α∗ (:= TCR(u∗ )) for all i. Moreover, we modify the decryption oracle. If the adversary asks a ciphertext containing u∗ , then the decryption oracle immediately outputs reject. We show that | Pr[S2 ] − Pr[S1 ]| ≤ uncertA · Qd . 

Suppose (i, (u, v1 , v2 , . . . , vn ), pred) is a query of A such that pred(h(ufi (0) )) = 1, but ufi (0)  = vi . We notice that for any f (x), α∗ , and α(:= TCR(u)), the  value f (0) takes many different points according to different points for ti included in the secret key of user i. This can be proven by a contradiction as follows: Fix f (x), α∗ , α, and Fα  = f (α). For ti ∈ (Zp \ {α∗ , α}), let fti (x) be a polynomial of degree at most two such that fti (α∗ ) = f (α∗ ), fti (α) = Fα , and fti (ti ) = f (ti ). Then, we will show that for any (ti , t¯i ) ∈ (Zp \ {α∗ , α})2 and ti  = t¯i , fti (0)  = ft¯i (0). Suppose that fti (0) = ft¯i (0). Then fti (x) = ft¯i (x) because they intersect at three points, x = 0, α∗ and α. In this case, f (x) = fti (= ft¯i ) since they intersect at three points, x = α∗ , ti , and t¯i . However, this is a contradiction since fti (α) = Fα  = f (α). Hence, even if  A has unlimited computational power, the event that pred(h(uf (0) )) = 1 occurs with the probability of uncertA . Furthermore, we show that | Pr[S2 ] − 1/2| ≤ hddh . We assume that there is an adversary A which breaks Game 2. We construct an algorithm B which solves the HDDH problem using the adversary A. For a Table 2. Comparison for IND-CCA secure MKEMs. For efficiency, we count the number of pairings, multi (or sequential)-exponentiations, and single-exponentiations for encryption and decryption. For ciphertext length, we denote the length of a group, an authentication tag, and ciphertext length of secret key encryption scheme by |G|, |mac|, and |ske|, respectively. We explicitly separate a DEM into an authentication tag and ciphertext of secret key encryption scheme. For comparison with other schemes, we apply randomness-reuse technique and transformation technique introduced in [16] to original KEMs. The schemes applied transformation technique which can convert KEM into MKEM by using DEMs have a property that reduction efficiency becomes lower in proportion to the number of recipients. based scheme

security

reduction

assumption

cost

encryption

decryption

key size

CS98 [6]

DDH

1

0 + [n, n + 2]

0 + [1, 1]

2/3/5

2n|G|

KD04 [14]

DDH

1/n

0 + [n, 2]

0 + [1, 0]

2/2/4

2|G| + n|mac| + n|ske|

BMW05 [4]

BDH

1/n

0 + [n, n + 1]

1 + [1, 0]

2/3/3

n|G| + n|ske|

Kiltz07 [12]

GHDDH

1/n

0 + [n, n + 1]

0 + [1, 0]

1/2/2

n|G| + n|mac| + n|ske|

#pairings + #[multi, single]-exp (I/pk/sk)

ciphertext length

HK07 [10]

HDDH

1

0 + [n, 2]

0 + [1, 0]

2/2/3

n|G| + |mac|

CKS08 [5]

HDDH

1/n

0 + [2n, n + 1]

0 + [1, 0]

1/4/4

2n|G| + n|ske|

HK08 [9]

HDDH

1/n

0 + [n, n + 1]

0 + [1, 0]

1/3/3

n|G| + n|mac| + n|ske|

Ours (CKS08)

HDDH

1

0 + [2n, 2]

0 + [2, 2]

2/3/5

2n|G|

Ours (HK08)

HDDH

1

0 + [n, 2]

0 + [1, 0]

2/2/4

n|G| + |mac|

Multi-recipient Public-Key Encryption from Simulators in Security Proofs ¯

307

¯

given HDDH instance (g, g a¯ , g b , Z), B sets u∗ := g a¯ and y0 := g b . The algorithm B slightly changes the key generation algorithm to always set si ← α∗ (:= ∗ TCR(u∗ )) for all i. Then, for each i, B computes vi ← (u∗ )Fsi (:= (u∗ )fi (α ) ) and sets (u∗ , v1∗ , v2∗ , . . . , vn∗ ) as a target ciphertext. Next, B provides A with (Z, (u∗ , v1∗ , v2∗ , . . . , vn∗ )). If A makes decryption query, B simulates the decryption oracle in Game 2 by using secret keys that B generates. Finally, A outputs a bit d as his guess, and B outputs the same bit d. 

6

Concluding Remarks

In this paper, we have proposed a new approach to design efficient MKEMs. We have focused on the simulator which uses an algebraic trick from selective-ID security in the security proof of a KEM. By observing the behavior of the simulator, we have constructed two efficient MKEMs. Our proposed scheme based on [5] is the most efficient scheme among the MKEMs which are secure in the sense of IND-CCA under the HDDH assumption without MAC. The other proposed scheme based on [9] is one of the most efficient schemes among the MKEMs whose reduction efficiency of the security proof is tight, and which is secure in the sense of IND-CCCA under the HDDH assumption. We show the comparison of previously proposed MKEMs and ours in Table 2. Our constructions also show that there exist single-recipient PKE schemes which can be transformed into efficient multi-recipient schemes, even they do not pass the reproducibility test.

References 1. Barbosa, M., Farshim, P.: Randomness reuse: Extensions and improvements. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 257– 276. Springer, Heidelberg (2007) 2. Bellare, M., Boldyreva, A., Staddon, J.: Randomness re-use in multi-recipient encryption schemeas. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 85–99. Springer, Heidelberg (2003) 3. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005) 4. Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identitybased techniques. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 320–329. ACM, New York (2005) 5. Cash, D., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008) 6. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) 7. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2003)

308

H. Hiwatari et al.

8. Delerabl´ee, C., Paillier, P., Pointcheval, D.: Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 39–59. Springer, Heidelberg (2007) 9. Hanaoka, G., Kurosawa, K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie-Hellman assumption. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 308–325. Springer, Heidelberg (2008) 10. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. Cryptology ePrint Archive, Report 2007/288 (2007), http://eprint.iacr.org/ 11. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007) 12. Kiltz, E.: Chosen-ciphertext secure key-encapsulation based on gap hashed DiffieHellman. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 282– 297. Springer, Heidelberg (2007) 13. Kurosawa, K.: Multi-recipient public-key encryption with shortened ciphertext. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 48–63. Springer, Heidelberg (2002) 14. Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004) 15. Smart, N.P.: Efficient key encapsulation to multiple parties. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 208–219. Springer, Heidelberg (2005) 16. Yasuda, K., Kobayashi, T., Aoki, K., Fujisaki, E., Fujioka, A.: Multicast in the kemdem framework. In: Proceedings of Symposium on Cryptography and Information Security, SCIS 2005, Japan (2005)

Fair Threshold Decryption with Semi-Trusted Third Parties Jeongdae Hong1 , Jinil Kim1 , Jihye Kim2 , Matthew K. Franklin3 , and Kunsoo Park1 1

2

School of Computer Science and Engineering, Seoul National University {jdhong,jikim,kpark}@theory.snu.ac.kr ISaC and Department of Mathematical Sciences, Seoul National University [email protected] 3 Department of Computer Science, University of California, Davis [email protected]

Abstract. A threshold decryption scheme is a multi-party public key cryptosystem that allows any sufficiently large subset of participants to decrypt a ciphertext, but disallows the decryption otherwise. Many threshold cryptographic schemes have been proposed so far, but fairness is not generally considered in this earlier work. In this paper, we present fair threshold decryption schemes, where either all of the participants can decrypt or none of them can. Our solutions employ semi-trusted third parties (STTP) and off-line semi-trusted third parties (OTTP) previously used for fair exchange. We consider a number of variants of our schemes to address realistic alternative trust scenarios. Although we describe our schemes using a simple hashed version of ElGamal encryption, our methods generalize to other threshold decryption schemes and threshold signature schemes as well.

1

Introduction

A threshold decryption scheme is a multi-party public key cryptosystem that allows any sufficiently large subset of participants to decrypt a ciphertext, but disallows the decryption otherwise. In a threshold decryption scheme, a secret key is typically split into secret key shares for the participants using a threshold secret sharing scheme. When a sufficiently large subset of participants wants to decrypt a ciphertext, each party computes a partially decrypted value using its secret key share. Any party who collects sufficiently many partially decrypted values can decrypt. In this paper, we focus on fairness of threshold decryption, which is not easy to achieve without a fully trusted third party (TTP). In many scenarios, it is very desirable that all participants in a threshold decryption procedure should receive the correct decrypted plaintext simultaneously, even when those participants are mutually mistrustful. In a stand-alone setting, where valuable data is encrypted, it is a security problem if some cheating participants to the threshold decryption procedure can recover the plaintext while the other participants cannot. In a more complex setting, where the threshold decryption is part of a larger secure C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 309–326, 2009. c Springer-Verlag Berlin Heidelberg 2009 

310

J. Hong et al.

multi-party protocol (e.g., [31]), the security of the overall protocol may be compromised unless ciphertexts can be decrypted with fairness. Although we focus on threshold decryption in this work, essentially all of our methods hold for the case of threshold signatures as well (which is also an important primitive in many scenarios). The previous threshold decryption schemes sometimes include a party called Combiner, who collects the decryption shares and computes the plaintext. With respect to fairness, Combiner would need to be a trusted third party (TTP) since it obtains the plaintext earlier than others. However, TTP is typically undesirable because all of the parties should totally trust it. Alternatively, each party in the threshold decryption can become a Combiner by himself if he knows the combining algorithm and all the decryption shares are exchanged among the parties. In that case, however, unfairness occurs when the first party who obtains all of the decryption shares quits the protocol without sending his decryption share. Even worse, a malicious party may obtain all decryption shares exclusively by repeating decryptions without sending his decryption share. Robust threshold decryption can be helpful here, but it does not by itself yield fairness. We employ semi-trusted third parties (STTP) and off-line semi-trusted third parties (OTTP).1 The STTP is an additional participant that follows the prescribed protocol correctly, while recording all communication in an attempt to learn something more about plaintexts (“semi-honest” or “honest-but-curious” adversary). The STTP is an on-line participant, since it connects to all the parties before the protocol starts, and communicates with them during the protocol even when all the parties are honest. Our first solution uses a single STTP to achieve fair threshold decryption. However, in practice, the reconstructing parties may fail to agree on a mutually satisfactory STTP. For example, imagine a situation where the parties of organization A trust only STTP α, while the parties of organization B trust only STTP β. To cover this kind of situation, we give a second solution that uses multiple “weak” STTPs to achieve fair threshold decryption. A “weak” STTP works semi-honestly for all the parties that trust it, but may work maliciously for the other parties. We present fair threshold decryption schemes for two natural variants of the multiple weak STTPs setting. Our third solution uses a single OTTP to achieve fair threshold decryption. The OTTP is a semi-honest additional participant that is not involved in the protocol unless one or more of the reconstructing parties crashes or attempts to cheat. The OTTP is an off-line participant, since it does not connect to any of the parties during normal protocol execution. This kind of protocol is often called “optimistic”, since troubles are resolved afterwards rather than prevented beforehand. For all of our solutions, no information leaks to the sender about the decryption policy (i.e., encryption looks like ordinary public key encryption). This has 1

Some previous work in fair exchange used the term “OTTP” to indicate off-line third party which is fully-trusted rather than semi-trusted.

Fair Threshold Decryption with Semi-Trusted Third Parties

311

always been an essential design principle for threshold cryptography, and it rules out simple approaches where the sender splits his message and encrypts using multiple keys. Related Work: Many threshold cryptographic schemes have been proposed so far [15,37,24,27,25,39,19,23], but fairness is not generally considered in this earlier work. Cleve [13] showed the impossibility of completely fair protocols without an honest majority for arbitrary functions, but Gordon et al. [30] reopened the question for specific functions of interest. Particularly, if t < n/3 where n is the total number of parties and t is the number of corrupted parties, fairness for secure multi-party computation (MPC) protocols can be achieved without information-theoretic or computational assumptions [5,12,29,28]. If n/3 ≤ t < n/2, a broadcast channel is necessary to achieve fairness [36,29,28]. Our consideration is on the general case where t can be any value between 1 and n. The “gradual release” paradigm can give a relaxation of complete fairness that is useful in many contexts (see, e.g., [6,34,4,8,9,35,22,21]). On-line semi-trusted parties have been used for fair exchange and related functions (e.g., [20,41,14]). Off-line semi-trusted parties have been used for “optimistic” fair exchange (e.g., [1,2,3,40,7,17,16]) and two-party optimistic fair secure computation [10]. Lindell [33] considers a related setting in which the off-line semi-trusted party is replaced with a legal infrastructure that respects digital signatures. Lepinski et al. [32] used physical assumptions to realize fair secure function evaluation (SFE), which includes fair MPC as a special case. The rest of the paper is organized as follows. Section 2 gives some preliminary cryptographic background. We present security models and definitions in Section 3. We present fair threshold decryption with (on-line) STTP (both strong and multiple weak) in Section 4 and optimistic fair threshold decryption with OTTP in Section 5.

2

Cryptographic Background

In this section, we briefly review the scenario of threshold decryption and a threshold version of Hash-ElGamal cryptosystem. 2.1

Threshold Decryption

The scenario of (t+1, ) - threshold decryption is as follows. There are a dealer,  shareholders who can participate in the decryption, and a combiner who actually decrypts the ciphertext. The dealer initializes a public key/secret key pair of the underlying non-threshold cryptosystem and splits the secret key into  secret key shares. Each shareholder Pi keeps the corresponding secret key share si privately. Anyone can encrypt a message by the public key. When a group of t + 1 shareholders wants to decrypt a ciphertext, each shareholder computes a partially decrypted value called decryption share by its secret key share. Then, the combiner collects t + 1 decryption shares and obtains the plaintext by the combining algorithm. Throughout this paper, we use the following notations.

312

J. Hong et al.

– secret key share - denotes a piece of the secret key shared by the secret sharing scheme. – decryption share - denotes a partially decrypted value of a ciphertext by a secret key share. – reconstruction group - denotes a group of t + 1 parties participating in the decryption process. 2.2

Threshold Version of Hash-ElGamal Cryptosystem

Throughout the paper, we use the threshold version of Hash-ElGamal cryptosystem [18], which allows us to focus on the main ideas of our schemes and the security arguments introduced by the fairness. Set-Up: Let G be a multiplicative group of large prime order q. Let H be a hash function from G to plaintext-length bitstrings. Let g be a generator of G. Key Generation: A dealer does the following: 1. Chooses a secret key SK = x ∈R [1..q−1] and computes public key P K = g x . 2. Picks a random polynomial f (·) with degree t for Shamir’s secret sharing scheme [38] whose coefficients are picked in [0..q − 1] and f (0) = x. 3. For all 1 ≤ i ≤ , computes secret key share si = f (i) mod q , verification key V Ki = g si , sends si to party Pi , and publishes g, P K, {(i, V Ki )}1≤i≤ . Encryption: To encrypt a message m, one randomly chooses r ∈R [1..q − 1] and computes E(m) = (g r , m ⊕ H(g rx )). Threshold Decryption: Let E(m) = (u, v), and let S ⊆ [1..] be a reconstruction group with |S| = t + 1. For each i ∈ S, Pi sends its  decryption share wi = g rsi to the combiner. The combiner computes g rx = i∈S (wi )λi , where  i {λi }i∈S are the appropriate Lagrange coefficients (i.e., λi = b∈S\{i} b−i ). Then rx the combiner computes v ⊕ H(g ) = m. Robust Threshold Decryption: Pi also sends to the combiner a zk-proof of equality of discrete logarithms that disclogg (V Ki ) = discloggr (wi ). The combiner rejects the decryption share from Pi unless this zk-proof is good. This threshold decryption scheme is semantically secure against a chosen plaintext attack if H is modeled as a random oracle, and if the Computational Diffie-Hellman problem (CDH) is hard in G (where the chosen plaintext attack is performed by an adversary that can see up to t shares of the decryption key). The robust threshold decryption scheme has similar security if (in addition) the proof of equality of discrete logarithms is sound, complete and zero knowledge.

3

Security Models and Definitions

In this section, we introduce members of our scenarios and define fairness of threshold decryption.

Fair Threshold Decryption with Semi-Trusted Third Parties

3.1

313

Members and Security Models

The members of our fair threshold decryption scheme consist of a dealer D,  shareholders and additional semi-trusted third parties (STTPs). - Dealer. A dealer D initializes the scheme as in the usual threshold decryption. If desired, a distributed key generation protocol can replace this trusted dealer using standard methods (e.g., [26]). - Shareholder. A shareholder is a legal member with a secret key share who can participate in the decryption. We assume that each shareholder works in a malicious model. That is, it may arbitrarily deviate from a specified protocol. It may refuse to participate in the protocol or abort the protocol prematurely. - Strong STTP. A strong STTP is an STTP trusted to work semi-honestly by all the shareholders. Only one strong STTP suffices in our fair threshold decryption scheme. - Weak STTP. A weak STTP is an extended notion of STTP which is trusted to work semi-honestly by other weak STTPs and some of the shareholders but not trusted by others. To all the shareholders who trust it, it faithfully works in semi-honest model, while it can work maliciously to other shareholders. In our schemes with multiple weak STTPs, several weak STTPs work together like one strong STTP. - Off-line STTP (OTTP). An off-line STTP is an STTP trusted by all the shareholders but it does not attend the protocol if all the shareholders behave honestly. Every on-line (strong or weak) STTP has its secret key share distributed privately during the key generation and can compute its decryption share like a shareholder. Communication Model: We assume that every pair of participants have a private and reliable communication channel connecting them. This includes all combinations of shareholder-to-shareholder, shareholder-to-STTP, and STTPto-STTP communication. 3.2

Formal Definition of Fairness

We define fairness of (t + 1, )-threshold decryption as follows. Definition 1. (Fairness of threshold decryption) If any shareholder Pi decrypts a ciphertext, then there exists at least one reconstruction group S with Pi ∈ S and |S| = t + 1 such that all the shareholders of S can get the plaintext. In the above definition, fairness means that all the shareholders of S can obtain the plaintext or no shareholder can. Any shareholder out of S should not be able to decrypt the ciphertext unless some shareholders of S send the plaintext to it. This requirement is important for applications in which the plaintext should be kept secret among the participants (e.g., [31]).

314

J. Hong et al.

Our definition of fairness implies that any fair threshold decryption scheme should be robust against such an attack whereby malicious shareholders initiate two or more reconstruction protocols for the same ciphertext (e.g., with disjoint subsets of honest shareholders), aborting so that no honest shareholder succeeds in any single reconstruction effort, while the malicious shareholders can decrypt by combining honest decryption shares from all of the reconstruction efforts. When the number of corrupted shareholders is less than (t+1)/2 (i.e. majority of any reconstruction group is honest), fairness can be achieved by general results of fair MPC [5,12,29,28]. We employ STTPs to cover the general case where up to t shareholders are corrupted. The following definition states fairness of threshold decryption when STTPs are involved in. Definition 2. (Fairness of threshold decryption with STTPs) A threshold decryption with STTPs is fair if all the shareholders achieve fairness in Definition 1 with the help of STTPs, while no STTP can learn anything about the decrypted message in polynomial time.

4 4.1

Fair Threshold Decryption with (On-Line) STTP Security Notions

We formally define two security notions, STTP-assistance and STTP-obliviousness by challenge-adversary games. Informally, STTP-assistance means that if any one of STTPs does not contribute its decryption share, no coalition of shareholders can decrypt any ciphertext even with the secret key shares of the other STTPs. And STTP-obliviousness means that no STTP, even with t secret key shares of shareholders, can learn anything about the decrypted message during polynomial number of decryptions on any ciphertexts. STTP-assistance. We say that a threshold scheme satisfies STTP-assistance if any polynomially bounded adversary A cannot win the following game with non-negligible probability. The game proceeds between A and a challenger CH where there are k STTPs: 1. CH runs Set-Up and Key Generation algorithms taking a security parameter. CH gives A the resulting common parameters. 2. A receives all the secret key shares of  shareholders and k − 1 secret key shares of the STTPs from CH. 3. A adaptively makes a polynomial number of queries to CH on any messages. For each message M , CH generates encryption C of M and responds with C and the corresponding decryption share of the remaining STTP with zkproof. 4. A selects two target messages (M0 , M1 ). CH picks one message Mb by selecting a random bit b ← {0, 1} and sends a ciphertext Cb of Mb to A. 5. Repeat step 3. 6. A outputs b (and wins if b = b).

Fair Threshold Decryption with Semi-Trusted Third Parties

315

STTP-obliviousness. We say that a threshold scheme with STTP satisfies STTP-obliviousness if it satisfies any polynomially bounded adversary A cannot win the following game with non-negligible probability. The game proceeds between A and a challenger CH where there are k STTPs: 1. CH runs Set-Up and Key Generation algorithms taking a security parameter. CH gives A the resulting common parameters. 2. A is given all the secret key shares of k STTPs and t secret key shares of shareholders.2 3. A adaptively makes a polynomial number of queries to CH on (M, S) where S ⊆ [1..], |S| = t + 1. For each (M, S), CH generates encryption C of M , and responds with C and the corresponding decryption shares with zk-proofs following the protocol on behalf of the shareholders of S. 4. A selects two target messages (M0 , M1 ). CH picks one message Mb by selecting a random bit b ← {0, 1} and sends a ciphertext Cb of Mb to A. CH simulates executions of all the shareholders so that A can participate in the decryption of Cb on behalf of the STTPs. 5. Repeat step 3. 6. A outputs b (and wins if b = b). 4.2

Strong STTP Fair Threshold Hash ElGamal

Description: The main idea of this scheme is that the secret key is split into  + 1 secret key shares instead of  secret key shares so that a secret key share is assigned for the strong STTP. However, we define the secret key share of the strong STTP as a special one, thus even more than t + 1 shareholders cannot decrypt a ciphertext without the decryption share of the strong STTP. The strong STTP can trigger the decryption by sending its decryption share after the shareholders of S exchange their decryption shares with one another. This scenario is applicable to all schemes which follow the general threshold decryption scenario. Fig. 1 shows this scenario graphically. The details of the protocol are as follows. Key Generation: D chooses x, R ∈R [1..q − 1], and computes P K = g x , V KST T P = g R . D picks an otherwise random degree t polynomial f (·) with coefficients in [0..q −1] such that f (0) = (x−R) mod q. Then for all i (1 ≤ i ≤ ), D computes si = f (i) mod q, V Ki = g si , and sends si to shareholder Pi . D sends sST T P = R to the STTP. Lastly, D publishes g, P K, V KST T P , {(i, V Ki )}1≤i≤ . Strong STTP Fair Threshold Decryption: Let E(m) = (u, v), and let S ⊆ [1..], |S| = t + 1. The STTP do not have to know (u, v) or S. For each i, j ∈ S, Pi sends wi = usi and a zk-proof that disclogg (V Ki ) = disclogu (wi ) to Pj . If Pi succeeds in verifying t + 1 decryption shares (including her own), then Pi sends a (READY, S, (u, v)) signal to the STTP. When the STTP receives consistent and well-formed READY signals from at least t + 1 shareholders, the STTP sends to each READY signaller wST T P = usST T P and 2

This can be regarded as a passive collusion among the STTPs and t shareholders where the colluding shareholders provide the STTPs with their secret key shares.

316

J. Hong et al.

Fig. 1. Fair Threshold Decryption with one strong STTP

a zk-proof that disclogg (V KST T P ) = disclogu (wST T P ). If Pi was a READY signaller, and if the STTP share, then Pi can now decrypt,  sent a valid decryption  i since g rx = wST T P · i∈S wiλi where λi = b∈S\{i} b−i . Non-Threshold Access Structure: Instead of viewing this as a (t + 1)-outof- threshold decryption scheme with  shareholders (P1 , . . . , P ) and a separate STTP, we can view it as a “non-threshold” access structure with  + 1 shareholders (ST T P, P1 , . . . , P ). Specifically, the access structure Γ  for successful decryption is ST T P ∧ Γt+1, , where Γt+1, is the (t + 1)-out-of- threshold access structure on {P1 , . . . , P }. Strong STTP Fair Threshold Decryption is possible whenever this non-threshold access structure Γ  can be realized. Communication Cost: Each shareholder’s communication cost is O(t) and the total communication cost is O(t2 ) except the key generation step. These costs are necessary for each shareholder to collect decryption shares from t + 1 shareholders. Security Proof of Strong-STTP Version: Now we prove that the strongSTTP protocol satisfies STTP-assistance, STTP-obliviousness, and fairness from the CDH assumption. Theorem 1. (STTP-assistance) Under the CDH assumption, the strong-STTP protocol satisfies STTP-assistance in the random oracle model. Proof. Let us assume the existence of an adversary A able to break STTPassistance. We now describe that a challenger CH can solve the CDH problem using the adversary A with non-negligible probability. When starting the STTPassistance game, CH gets an instance of CDH problem (g, g x , g y ) whose goal is computing g xy . In step 1, CH chooses a random polynomial f (·) with degree t. He simulates the strong-STTP protocol with initializing P K = g x , s1 = f (1), ..., s = f (). Then, sST T P is automatically chosen as sST T P = x − f (0) but CH knows neither x nor sST T P . The verification keys are easily computed by V K1 = g s1 , ..., V K =

Fair Threshold Decryption with Semi-Trusted Third Parties

317

g s , V KST T P = g x /g f (0) . CH sends common parameters (P K, V K1 , ..., V K , V KST T P ) to A. In step 2, CH sends (s1 , ..., s ) to A. A cannot distinguish these from a set of normal parameters because all of them are valid. In step 3, for each query M of A, CH generates a ciphertext Enc(M ) = (g r , M ⊕ H(g rx )) where r ∈R [0..q − 1] and responds with Enc(M ), wST T P = (V KST T P )r with the corresponding simulated zk-proof. In step 4, for given two messages M0 , M1 from A, CH picks one message Mb by selecting a random bit b ← {0, 1} and generates a dummy ciphertext: y ˆ ˆ Enc(M b ) = (g , Mb ⊕ h) where h ∈R [0..q − 1]. CH sends Enc(Mb ) to A. In step 5, for every query M , CH works the same way as in step 3. Finally, A outputs b such that P r[b = b] is non-negligibly higher than 1/2. Claim 1: Unless A queries g xy to the random oracle H(·), A cannot obtain any non-negligible advantage in guessing Mb . ˆ If A does not query g xy to the random oracle, Mb ⊕ h in Enc(M b ) is the same as the one-time pad whose key is h. Since the one-time pad has perfect secrecy, A cannot obtain anything from Mb ⊕ h. It implies no such adversary can obtain non-negligible advantage from any dummy ciphertext. Claim 2: If A queries g xy to the random oracle, CH can solve the CDH problem with non-negligible probability. The number of queries, qh , recorded in the random oracle is polynomially bounded due to A’s running time. If A has a non-negligible advantage Adv, A can solve the CDH problem with probability Adv/qh which is also non-negligible. It contradicts the CDH assumption. By both claims, no adversary can obtain non-negligible advantage from the above game if the CDH problem is hard. That implies STTP-assistance holds for the strong-STTP protocol under the CDH assumption in the random oracle model. Theorem 2. (STTP-obliviousness) Under the CDH assumption, the strongSTTP protocol satisfies STTP-obliviousness in the random oracle model. Proof. The proof is similar to that of Theorem 1 except simulation setup. In step 1, CH simulates verification keys V K1 = g s1 , ..., V Kt = g st , V KST T P = g R . For PK each i ∈ [t + 1..], CH sets V Ki = ( λ1 )1/λi . CH sends common λt V K1 ...V Kt ·V KST T P

parameters (P K, V K1 , ..., V K , V KST T P ) to A. In step 2, CH sends t secret key shares (s1 , ..., st ) and STTP’s secret key share R to A. Then, since Claim 1, 2 of Theorem 1 hold in the same way, no adversary can obtain non-negligible advantage from the above game if the CDH problem is hard. That leads to STTP obliviousness under the CDH assumption in the random oracle model. Theorem 3. (Fairness) The strong-STTP protocol satisfies fairness of threshold decryption with STTP in Definition 2 Proof. By Theorem 1, no t shareholders can succeed in decryption without following the protocol until the STTP’s sending its decryption share. The STTP

318

J. Hong et al.

contributes its decryption share only after all the shareholders of S exchange their decryption shares with one another. Since the STTP sends its share to the shareholders at the same time, it guarantees that they can get the decrypted message simultaneously. From this and Theorem 2, the strong-STTP protocol satisfies the fairness with STTP in Definition 2. 4.3

Multiple-Weak STTP Fair Threshold Hash ElGamal

Description. When all the shareholders cannot agree on a mutually satisfactory STTP, they can make use of several weak STTPs instead of one strong STTP. The members of this scenario are a dealer D,  shareholders and k weak STTPs. We assume that each shareholder trusts at least one weak STTP. Moreover, we assume that any subset of less than t + 1 shareholders has at least one common trustworthy weak STTP, which we call the technical covering condition. The reliability between weak STTPs and all the shareholders is public. Let S be a reconstruction group of t + 1 shareholders that collaboratively want to decrypt the ciphertext. Before introducing our scheme, we formally define the technical covering condition as follows. Definition 3. (Technical Covering Condition) Given a reconstruction group S with |S| = t + 1, and k weak STTPs, let Ti ⊆ [1..k] be the subset of indices of the weak STTPs that Pi trusts (i.e., Pi ’s trustworthy weak STTPs), and let Ui = [1..k] − Ti be that of the weak STTPs that Pi do not trust (i.e., Pi ’s untrustworthy weak STTPs). For any subset F ⊂ [1..] with |F | ≤ t, if ∩i∈F Ti is non-empty, then we say the technical covering condition is satisfied. Once we assume that the technical covering condition is satisfied, we can use the following scheme for fair threshold decryption. In this scenario, each shareholder Pi of S collects the decryption shares of Ui (his untrustworthy weak STTPs) so that it can proceed the threshold decryption without doubting them. Then, all the shareholders of S exchange their decryption shares with one another and send READY signals to all the weak STTPs. When each weak STTP receives READY signals from all the shareholders of S, it sends its own READY signals to all other weak STTPs. When each weak STTP receives READY signals from all the remaining weak STTPs, it triggers the decryption by sending its decryption share to the shareholders who trust it. Fig. 2 shows this scenario graphically. The details of the protocol are as follows. Key Generation: D chooses random x, R1 , . . . , Rk ∈ [1..q − 1], and computes P K = g x , V KST T P1 = g R1 , . . . , V KST T Pk = g Rk . D picks an otherwise random degree t polynomial f (·) with coefficients in [0..q − 1] such that f (0) = (x − k i=1 Ri ) mod q. Then for all i, 1 ≤ i ≤ , D computes si = f (i) mod q, V Ki = g si , and sends si to Pi . Then for all j, 1 ≤ j ≤ k, D sends sST T Pj = Rj to ST T Pj . Lastly, D publishes g, P K, {(j, V KST T Pj )}1≤j≤k , {(i, V Ki )}1≤i≤ . Multiple-Weak STTP Fair Threshold Decryption: Let E(m) = (u, v), and let S ⊆ [1..], |S| = t + 1. Let Ti and Ui be the same as those of Definition 3.1. We assume that the technical covering condition is satisfied. We assume that the STTPs know (u, v), S and {Ti }i∈S .

Fair Threshold Decryption with Semi-Trusted Third Parties

319

Fig. 2. An example of fair threshold decryption with weak STTPs where t + 1 = 4, k = 2. Odd-numbered shareholders trust ST T P1 but do not trust ST T P2 , while evennumbered shareholders trust ST T P2 but do not trust ST T P1 . Dotted line indicates that each STTP sends its decryption share to the shareholders who do not trust it in step 1, and solid line indicates that each STTP sends it to the shareholders who trust it in step 4.

1. For every j ∈ [1..k], and for every i ∈ [1..] such that j ∈ Ui , ST T Pj sends wST T Pj = uRj and a zk-proof that disclogg (V KST T Pj ) = disclogu (wST T Pj ) to Pi . 2. Each Pi checks the decryption shares it received from Ui (its untrustworthy weak STTPs) and it halts if any is bad. Otherwise, Pi sends wi = usi and a zk-proof that disclogg (V Ki ) = disclogu (wi ) to every shareholder in S. When Pi receives good decryption shares from all the other shareholders in S, then Pi sends a READY signal to all the STTPs. 3. Each STTP waits for READY signals from all the shareholders in S, and then sends its own READY signal to all the other STTPs. Each STTP goes on to the next step after receiving READY signals from all the other STTPs. 4. For every j ∈ [1..k], and for every i ∈ [1..] such that j ∈ Ti , ST T Pj sends wST T Pj and a zk-proof that disclogg (V KST T Pj ) = disclogu (wST T Pj ) to Pi .   5. Each Pi can now decrypt, since g rx = 1≤j≤k wST T Pj · i∈S wiλi where  i λi = b∈S\{i} b−i . Non-Threshold Access Structure: Instead of viewing this as a (t+ 1)-out-of threshold decryption scheme with  shareholders (P1 , . . . , P ) and k separate STTPs (ST T P1 , . . . , ST T Pk ), we can view it as a non-threshold access structure with  + k shareholders (ST T P1 , . . . , ST T Pk , P1 , . . . , P ). Specifically, the access structure Γ  for successful decryption is (ST T P1 ∧ . . . ∧ ST T Pk ) ∧ Γt+1, , where Γt+1, is the (t + 1)-out-of- threshold access structure on {P1 , . . . , P }. MultipleWeak STTP Fair Threshold Decryption is possible whenever this non-threshold access structure Γ  can be realized. Communication Cost: Each shareholder’s communication cost is O(t+ k) and the total communication cost is O((t + k)2 ).

320

J. Hong et al.

Security of Multiple Weak-STTP Version: The formal proof of the security is a simple extension of that for the strong STTP protocol, which will be presented in the full version.

5 5.1

Optimistic Fair Threshold Decryption Security Notions

Our notion of optimistic fair threshold decryption uses an OTTP which is semihonest but not attending the protocol if all the shareholders behave honestly. We do not require optimistic protocols to satisfy STTP-assistance because any t + 1 honest shareholders can decrypt the ciphertext without OTTP. We use the following security notions for optimistic fair threshold decryption. Security for threshold decryption. Informally, a (t + 1)-threshold decryption scheme is secure if t number of shareholders cannot decrypt any ciphertext. Formally, we say that a threshold scheme is semantically secure if any polynomially bounded adversary A cannot win the following game with non-negligible probability. The game proceeds between A and CH: 1. CH runs Set-Up and Key Generation algorithms taking a security parameter. CH gives A the resulting common parameters and t secret key shares. 2. A adaptively makes a polynomial number of queries to CH on (M, S) where S ⊆ [1..], |S| = t + 1. For each (M, S), CH generates encryption C of M and responds with C and the messages each shareholder sends in the execution of optimistic decryption on (C, S). 3. A adaptively queries for OTTP’s responses to CH. 4. A selects two target messages (M0 , M1 ). CH picks one message Mb by selecting a random bit b ← {0, 1} and sends a ciphertext Cb of Mb to A. CH also sends to A all the intermediate information except decryption shares. 5. Repeat step 2. 6. A outputs b (and wins if b = b). OTTP obliviousness. We say that a threshold scheme is OTTP-oblivious if any polynomially bounded adversary A cannot win the following game with non-negligible probability. The game proceeds between A and CH: 1. CH runs Set-Up and Key Generation algorithms taking a security parameter. CH gives A the resulting common parameters and OTTP’s secret key. 2. A adaptively makes a polynomial number of queries to CH on (M, S) where S ⊆ [1..], |S| = t + 1. For each (M, S), CH generates encryption C of M and responds with C and the messages each shareholder sends in the execution of optimistic decryption on (C, S). 3. A selects two target messages (M0 , M1 ). CH picks one message Mb by selecting a random bit b ← {0, 1} and sends a ciphertext Cb of Mb to A. A participates in a decryption protocol on (Cb , S) on behalf of the OTTP. 4. Repeat step 2. 5. A outputs b (and wins if b = b).

Fair Threshold Decryption with Semi-Trusted Third Parties

5.2

321

Optimistic Fair Threshold Hash ElGamal

Description: The main idea of this protocol is that all the shareholders of S exchange the promises of decryption shares before they exchange the decryption shares. A promise of decryption share is an encrypted value containing partial information of the decryption share using OTTP’s public key. It assures the receiver that he can obtain the decryption shares with the help of OTTP. Thus, once each shareholder receives all the promises, it can obtain all the decryption shares even when some shareholders behave maliciously. In this protocol, the OTTP does not respond to any query before all the promises are exchanged. To guarantee this, each shareholder sends its signed READY signal to all the other shareholders of S, so that only shareholders who receive all the signed READY signals can query to the OTTP in order to get the decryption shares that they have not received. The OTTP accepts only queries enclosed with all the signed READY signals of S. (We can regard it as OTTP’s decryption policy.) Once the OTTP receives a query with the signed READY signals, it can be assured that the shareholders of S already received all the promises of S. At this moment, the OTTP sends all the signed READY signals to the other shareholders of S. It guarantees that the shareholders have the right to query to the OTTP. One main tool is verifiable encryption, which allows someone to prove that an encrypted value is the discrete logarithm of an unencrypted value (with respect to an unencrypted base). Let EN C be a public key encryption scheme that supports verifiable encryption as in Camenisch-Shoup [11]. The details of the protocol are as follows. Key Generation: A dealer initializes common parameters of ordinary threshold Hash-ElGamal as in Section 2.2. OTTP creates a key pair (SKOT T P , P KOT T P ) for EN C(·). Optimistic Fair Threshold Decryption: Let E(m) = (u, v), S ⊆ [1..], |S| = t + 1. We assume that all of the shareholders agree on the session information inf which includes S, E(m). 1. In Round 1, for every i, j ∈ S: (a) Pi sends the following promise to Pj (unfair, blinded, partially signed): (αi , βi , inf, g r/αi , EN COT T P (βi si ), σi , proof (disclogg (V Kiβi ) = βi si )), where αi , βi ∈R [1..q − 1] chosen by Pi and σi is the signature by Pi of (inf, g r/αi , EN COT T P (βi si )). The disclog proof is Camenisch-Shoup style on the verifiably encrypted value βi si . (b) Pj checks if the promise from Pi is valid: well-formed, well-signed, wellblinded, disclog proof. (c) If Pi receives t + 1 valid promises of S (including its own), Pi proceeds to Round 2. 2. In Round 2, for every i ∈ S: (a) Pi sends (READY, inf) and its signature to the other shareholders in S.

322

J. Hong et al.

(b) If Pi receives t + 1 signed (READY, inf) signals of S (including its own) from S or (possibly) OTTP, Pi proceeds to Round 3. 3. In Round 3, for every i ∈ S: (a) Pi sends to the other shareholders in S: (g rsi , proof (discloggr (g rsi ) = disclogg (V Ki ))). Here the proof is an ordinary zk-proof for equality of discrete logs. (b) If Pi receives t + 1 good decryption shares (including its own), then Pi decrypts as in ordinary (robust) threshold decryption, and halts. Otherwise, Pi proceeds to Round 4. 4. In Round 4, for every i ∈ S: (a) Let Sˆ be the subset of S which did not send Pi a good decryption share in Round 3. (b) Pi sends OTTP all the signed (READY, inf) signals of S, and the partially signed promise (inf, g r/αj , EN COT T P (βj sj ), σj ) from every shareˆ holder j in S. (c) OTTP checks all the signed (READY, inf) signals of S and all the signed ˆ If any of them is invalid, OTTP rejects the query. part of promises of S. (d) If it is the first query of the session inf, OTTP sends all the signed (READY, inf) signals of S to all the shareholders of S to finish their waiting in Round 2. (e) OTTP notifies each Pj in Sˆ that Pi asks OTTP so that Pj does not wait for Pi ’s decryption share in Round 3. (f) OTTP decrypts all the (EN COT T P (βj sj ))j∈Sˆ . (g) OTTP computes and sends to Pi all the ((g r/αj )βj sj )j∈Sˆ . (h) Pi now unblinds all the ((g r/αj )βj sj )j∈Sˆ using all the (αj , βj )j∈Sˆ . Pi can obtain the plaintext as in ordinary threshold decryption, and halts. Remark 1: The promises of step 1 are “blinded” so that the OTTP cannot compute any decryption share even if it responds to a number of queries. In the blinded promises, we use two random numbers αi , βi to hide the secret key shares and the decryption shares from the OTTP. Any shareholder, who receives a blinded promise, can verify its validity by checking (g r/αi )αi = g r and proof (disclogg (V Kiβi ) = βi si ). Remark 2: This protocol does not satisfy a useful property timely termination [2] with which a shareholder can leave the protocol immediately in a fair manner without waiting for the responses of other shareholders. For instance, let’s consider the following case in which a shareholder Pi is in Round 2, and the other shareholders in Round 3 do not send their decryption shares for a long time. In this case, Pi can neither go to Round 3 since he has not collected all the signed READY signals, nor leave the protocol since the other shareholders will succeed in decryption by querying the OTTP. Nevertheless, this protocol is fair since Pi can succeed in decryption whenever another shareholder succeeds in decryption if he has not leaved the protocol. We can modify this protocol so

Fair Threshold Decryption with Semi-Trusted Third Parties

323

that timely termination is satisfied. For space constraints, this variant will be presented in the full version. Communication Cost: Each shareholder’s communication cost is O(t) and the total communication cost is O(t2 ). Security Proof of OTTP Version Theorem 4. (Security for threshold decryption) Under the CDH assumption, unforgeability of the signature scheme and the security of verifiable encryption, the above optimistic protocol is a semantically secure threshold decryption protocol in the random oracle model. Proof. The proof is very similar with the proof for Theorem 2. Assume that A able to break security for threshold decryption. Using this adversary A, we can build an algorithm to solve the CDH problem with non-negligible probability: Given an instance of CDH problem (g, g x , g y ), the algorithm computes g xy . CH initializes P K = g x , s1 , ..., st ∈R [0..q − 1], and V K1 = g s1 , ..., V Kt = g st . For each i ∈ [t + 1..], CH sets V Ki = ( λ1P K λt )1/λi . CH also generates (SKOT T P , P KOT T P ). V K1 ...V Kt

A is given public parameters (P K, V K1 , ..., V K , P KOT T P ) and t secret key shares (s1 , ..., st ). In step 2, for each query (M, S) of A, CH responds with t + 1 decryption shares {wj = (V Kj )r }j∈S . He also computes t + 1 promises with the simulated signatures σi and zk-proofs proof (disclogg (V Kiβi = βi si ). In step 4, for given two messages M0 , M1 from A, CH picks one message Mb and sends a dummy ˆ ciphertext Enc(M b ). CH also simulates promises, signatures and zk-proofs. Under the unforgeability of the signature scheme, A’s query to the OTTP on input created by A cannot pass the validity test of the input. Moreover, under the security of verifiable encryption, no information is revealed from the promises in Round 1. READY signals in Round 2 do not contain any information about the plaintext. Thus, similar to Theorem 2, A can win the game in polynomial time with non-negligible probability only by querying g xy to the random oracle, which contradicts to the CDH assumption. Theorem 5. (OTTP-obliviousness) Under the CDH assumption, the optimistic fair threshold satisfies OTTP-obliviousness. Proof. The proof is the same as the proof for Theorem 4 except: A is given SKOT T P instead of t secret shares. Still, it is clear that unless αi , βi are given, A cannot learn anything about si from the partially signed promises. Thus, the only way to win the game is to make a query on g xy . Again, it contradicts to the CDH assumption. Theorem 6. (Fairness) Under the CDH assumption, unforgeability of the signature scheme, security of the verifiable encryption, the optimistic protocol satisfies fairness of threshold decryption with OTTP in Definition 2. Proof. Let F be a coalition of at most t cheating shareholders. All the information which F can receive comes from the promises in Round 1, the READY

324

J. Hong et al.

signals in Round 2, and the decryption shares in Round 3. Since READY signals have nothing to do with any secret information, we only need to consider promises and decryption shares. Claim 1: If F decrypts the ciphertext without querying to the OTTP, all the honest shareholders of S can decrypt it too. If F does not receive decryption shares from the shareholders in Round 3, F fails to decrypt by Theorem 4. Otherwise, there exists at least one honest shareholder Pi in Round 3 who sends its decryption share to F . In Round 1 and 2, Pi received all the promises and the signed READY signals of S. It implies that Pi can obtain all the decryption shares with the help of the OTTP whenever it wants. Furthermore, from the signed READY signals which Pi received, it is obvious that all the honest shareholders had received all the promises in Round 1 and proceeded to (at least) Round 2. When Pi queries to the OTTP, all the honest shareholders in Round 2 can proceed to Round 3 due to the signed READY signals from the OTTP. Then, all the honest shareholders of S can decrypt the ciphertext with the help of the OTTP and Claim 1 holds. Claim 2: If F decrypts the ciphertext by querying to the OTTP, all the honest shareholders of S can decrypt it too. F can query to the OTTP only when he has all the signed READY signals. It implies that all the shareholders of S have sent their signed READY signals to F . It also implies that all the honest shareholders had received all the promises in Round 1 and proceeded to Round 2. Thus, whenever F queries to the OTTP, all the honest shareholders can proceed to Round 3 by receiving the signed READY signals which the OTTP sends. Then, all the honest shareholders of S can query to the OTTP and Claim 2 holds. By both claims, F cannot cause any unfairness whatever they do. Thus, the OTTP protocol satisfies the fairness of Definition 1.

Acknowledgments This work was supported by Korea Research Council of Fundamental Science and Technology. The ICT at Seoul National University provides research facilities for this study. Jihye Kim was supported by the Korea Science and Engineering Foundation (KOSEF) grant funded by the Korea government (MEST) (No. R012008-000-11287-0, No. 20090058574).

References 1. Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: ACM Conference on Computer and Communications Security, pp. 7–17 (1997) 2. Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE J. Selected Areas in Communication 18(4), 593–610 (2000) 3. Bao, F., Deng, R.H., Mao, W.: Efficient and practical fair exchange protocols with off-line TTP. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 77–85 (May 1998)

Fair Threshold Decryption with Semi-Trusted Third Parties

325

4. Ben-Or, M., Goldreich, O., Micali, S., Rivest, R.L.: A fair protocol for signing contracts. IEEE Transactions on Information Theory 36(1), 40–46 (1990) 5. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation. In: STOC 1988: Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 1–10. ACM, New York (1988) 6. Blum, M.: How to exchange (secret) keys. ACM Trans. Comput. Syst. 1(2), 175– 193 (1983) 7. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 8. Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000) 9. Boudot, F., Schoenmakers, B., Traor´e, J.: A fair and efficient solution to the socialist millionaires’ problem. Discrete Applied Mathematics 111(1-2), 23–36 (2001) 10. Cachin, C., Camenisch, J.L.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000) 11. Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003) 12. Chaum, D., Cr´epeau, C., Damgard, I.: Multiparty unconditionally secure protocols. In: STOC 1988: Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 11–19. ACM Press, New York (1988) 13. Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC, pp. 364–369 (1986) 14. Cox, B., Tygar, J.D., Sirbu, M.: Netbill security and transaction protocol. In: First USENIX workshop on Electronic Commerce, pp. 77–88 (1995) 15. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990) 16. Dodis, Y., Lee, P.J., Yum, D.H.: Optimistic fair exchange in a multi-user setting. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 118–133. Springer, Heidelberg (2007) 17. Dodis, Y., Reyzin, L.: Breaking and repairing optimistic fair exchange from PODC 2003. In: Digital Rights Management Workshop, pp. 47–54 (2003) 18. ElGamal, T.: A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985) 19. Fouque, P., Poupard, G., Stern, J.: Sharing decryption in the context of voting of lotteries. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 90–104. Springer, Heidelberg (2001) 20. Franklin, M.K., Reiter, M.K.: Fair exchange with a semi-trusted third party. In: Proceedings of the 4th ACM Conference on Computer and Communications Security (CCS), pp. 1–5 (April 1997) 21. Garay, J.A., MacKenzie, P., Yang, K.: Efficient and secure multi-party computation with faulty majority and complete fairness. Cryptology ePrint Archive, Report 2004/009 (2004), http://eprint.iacr.org/ 22. Garay, J.A., MacKenzie, P.D., Prabhakaran, M., Yang, K.: Resource fairness and composability of cryptographic protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 404–428. Springer, Heidelberg (2006) 23. Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T.: Threshold RSA for dynamic and ad-hoc groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 88–107. Springer, Heidelberg (2008)

326

J. Hong et al.

24. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust and Efficient Sharing of RSA Functions. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 157–172. Springer, Heidelberg (1996) 25. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf. Comput. 164(1), 54–84 (2001) 26. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptology 20(1), 51–83 (2007) 27. Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptology 13(2), 273–300 (2000) 28. Goldreich, O.: Secure multi-party computation (working draft, version 1.2) (2000), http://www.wisdom.weizmann.ac.il/oded/pp.html 29. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: STOC 1987: Proceedings of the nineteenth annual ACM symposium on Theory of computing, pp. 218–229. ACM Press, New York (1987) 30. Gordon, S.D., Hazay, C., Katz, J., Lindell, Y.: Complete fairness in secure twoparty computation. In: STOC, pp. 413–422 (2008) 31. Kissner, L., Song, D.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005) 32. Lepinski, M., Micali, S., Peikert, C., Shelat, A.: Completely fair sfe and coalitionsafe cheap talk. In: PODC 2004: Proceedings of the twenty-third annual ACM symposium on Principles of distributed computing, pp. 1–10. ACM, New York (2004) 33. Lindell, A.Y.: Legally-enforceable fairness in secure two-party computation. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 121–137. Springer, Heidelberg (2008) 34. Luby, M., Micali, S., Rackoff, C.: How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin. In: FOCS, pp. 11–21 (1983) 35. Pinkas, B.: Fair secure two-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 87–105. Springer, Heidelberg (2003) 36. Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: STOC 1989: Proceedings of the twenty-first annual ACM symposium on Theory of computing, pp. 73–85. ACM Press, New York (1989) 37. Santis, A.D., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: STOC, pp. 522–533 (1994) 38. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979) 39. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000) 40. Zhou, J., Deng, R.H., Bao, F.: Some remarks on a fair exchange protocol. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 46–57. Springer, Heidelberg (2000) 41. Zhou, J., Gollmann, D.: An efficient non-repudiation protocol, pp. 126–132. IEEE Computer Society Press, Los Alamitos (1997)

Conditional Proxy Broadcast Re-Encryption Cheng-Kang Chu1 , Jian Weng1,2 , Sherman S.M. Chow3 , Jianying Zhou4 , and Robert H. Deng1 1 School of Information Systems Singapore Management University, Singapore {ckchu,jianweng,robertdeng}@smu.edu.sg 2 Department of Computer Science Jinan University, Guangzhou 510632, P.R. China 3 Department of Computer Science Courant Institute of Mathematical Sciences New York University, NY 10012, USA [email protected] 4 Institute for Infocomm Research, Singapore [email protected]

Abstract. A proxy re-encryption (PRE) scheme supports the delegation of decryption rights via a proxy, who makes the ciphertexts decryptable by the delegatee. PRE is useful in various applications such as encrypted email forwarding. In this paper, we introduce a more generalized notion of conditional proxy broadcast re-encryption (CPBRE). A CPBRE scheme allows Alice to generate a re-encryption key for some condition specified during the encryption, such that the re-encryption power of the proxy is restricted to that condition only. This enables a more fine-grained delegation of decryption right. Moreover, Alice can delegate decryption rights to a set of users at a time. That is, Alice’s ciphertexts can be re-broadcasted. This saves a lot of computation and communication cost. We propose a basic CPBRE scheme secure against chosen-plaintext attacks, and its extension which is secure against replayable chosen-ciphertext attacks (RCCA). Both schemes are unidirectional and proved secure in the standard model. Finally, we show that it is easy to get a unidirectional RCCA-secure identity-based proxy reencryption from our RCCA-secure CPBRE construction. Keywords: proxy re-encryption, conditional proxy re-encryption, broadcast encryption, hierarchical identity-coupling broadcast encryption.

1

Introduction

Proxy re-encryption (PRE) schemes enable (by delegating a transformation-key to) a semi-trusted proxy to transform Alice’s ciphertext into one encrypting the same message which is decryptable by Bob, without allowing the proxy any ability to perform tasks outside of the delegation. PRE found applications [3,8] in 

Funded by A*STAR project SEDS-0721330047.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 327–342, 2009. c Springer-Verlag Berlin Heidelberg 2009 

328

C.-K. Chu et al.

digital rights management, distributed file storage systems, and email forwarding. For example, users can assign their email server as the proxy such that it can re-encrypt the emails for different users without knowing the email content. Although PRE is useful in many applications, we found that sometimes we need more than the basic. In corporate email forwarding, Alice may ask the proxy to re-encrypt her emails to her colleague Bob when she is on leave. However, this is not enough in the following scenarios: 1. Alice does not want Bob to read all her private emails. 2. For some business emails, Alice has to forward them to more than one colleague other than Bob, in an extreme case, the whole staff of the company. Using a traditional PRE, a proxy is too powerful as it has the ability to reencrypt all Alice’s emails to Bob once the re-encryption key is given. For more than one delegatees, Alice needs to generate a re-encryption key for each staff member, and the proxy also needs to re-encrypt emails for each of them. We believe there is a better way to handle these situations. We envision a more generalized notion of Conditional Proxy Broadcast Re-Encryption (CPBRE). Alice can specify a condition to generate a conditional re-encryption key, such that the re-encryption power of the proxy is restricted to that condition only. Moreover, Alice can delegate the decryption rights to a set of users at a time, which means Alice’s ciphertexts can be re-broadcasted. In this paper, we formalize this notion, propose a basic CPBRE scheme secure against chosenplaintext attacks (CPA), and an extension that is secure against replayable chosen-ciphertext attacks (RCCA) [9]. RCCA is a weaker variant of chosenciphertext attack (CCA) in which a harmless mauling of the challenge ciphertext is tolerated. Both schemes are unidirectional and secure in the standard model. The new CPBRE is much more flexible. Back to our email-forwarding example, Alice can use the keywords “business”, “private” and “golf” as the conditions, to allow forwarding of her encrypted emails to her colleagues, family members, and golf club members respectively. For each group, Alice only requires to produce one re-encryption key and the proxy only requires to transform a single ciphertext. This saves a lot of computation and communication cost. Finally, being a generalization of PRE, it is easy to use our RCCA-secure CPBRE construction to build a RCCA-secure unidirectional identity-based proxy re-encryption (IB-PRE), which is the first of its kind. 1.1

Related Works

Following Blaze, Bleumer and Strauss’s seminal work [3] which presented a bidirectional CPA-secure PRE scheme, many PRE schemes have been proposed. Ateniese et al. [1] presented a CPA-secure unidirectional PRE. Canetti and Hohenberger [8] presented a CCA-secure bidirectional PRE. Later, Libert and Vergnaud [14] presented a RCCA-secure unidirectional PRE. These PRE schemes [1,8,14] rely on the somewhat costly bilinear pairings. Without pairings, Deng et al. [11] proposed a CCA-secure bidirectional PRE. Subsequently, Weng et al. [19] and Shao and Cao [16] presented CCA-secure unidirectional PRE.

Conditional Proxy Broadcast Re-Encryption

329

Proxy re-encryption has also been studied in identity-based encryption (IBE) settings. Based on Boneh-Boyen IBE [4], Boneh, Goh and Matsuo [6] described a hybrid proxy re-encryption system. Green and Ateniese [12] presented a CPAsecure IB-PRE and a CCA-secure IB-PRE, which are proven in the random oracle model and only support single-use (i.e., the ciphertext can only be reencrypted once). Matsuo [15] also proposed a CPA-secure IB-PRE scheme. Later, Chu and Tzeng [10] tried to propose a CCA-secure multi-use IB-PRE scheme without random oracles. However, as Shao and Cao [16] stated, [12,10] are unable to resist a “chain collusion attack” (described later). Up to now, there is still no CCA-secure (or RCCA-secure) IB-PRE scheme in the standard model. Tang [17] introduced the primitive of type-based proxy re-encryption, which allows the proxy to re-encrypt a specific type of delegator’s ciphertexts. Independently, Weng et al. [18] introduced a similar primitive named “conditional proxy re-encryption”, in which the proxy can re-encrypt a ciphertext under a specific condition iff he has the re-encryption key with respect to this condition. However, both of these schemes are proved in the random oracle model. Finally, Libert and Vergnaud [13] introduced the notion of traceable proxy re-encryption, where malicious proxies leaking their re-encryption keys can be identified.

2

Definition

We briefly describe the assumptions and underlying encryption schemes that will be used in our constructions, then the definition of CPBRE will be given. 2.1

Pairing and Related Computational Assumption

Let G and GT be two (multiplicatively) cyclic groups of prime order p. Let e : G × G → GT is a map with the following properties: – Bilinear: for all g1 , g2 ∈ G and a, b ∈ Z, e(g1a , g2b ) = e(g1 , g2 )ab . – Non-degenerate: for some g ∈ G, e(g, g)  = 1. We say that G is a bilinear group if the group operations in G and GT , and the bilinear map are efficiently computable. Our schemes are based on the Decisional Bilinear Diffie-Hellman Exponent (BDHE) problem in (G, GT ) [5] – given 2n + 1 elements 2

n

n+2

(˜ g , g, g α , g α , . . . , g α , g α

2n

, . . . , g α ) ∈ G2n+1 , n+1

and an element R ∈ GT , decide if R = e(g, g˜)α . i In the rest of this paper, we will use gi to denote the term g α . Definition 1. The Decisional n-BDHE assumption holds in (G, GT ) if no polynomial time algorithm A has non-negligible advantage in solving the Decisional n-BDHE problem in (G, GT ), where the advantage of A is ε if    Pr[A(˜ g , g, g1 , g2 , . . . , gn , gn+2 , . . . , g2n , e(gn+1 , g˜)) = 1]     ≥ ε.  − Pr[A(˜ g , g, g1 , g2 , . . . , gn , gn+2 , . . . , g2n , R) = 1]

330

2.2

C.-K. Chu et al.

Hierarchical Identity-Coupling Broadcast Encryption

Attrapadung, Furukawa and Imai [2] proposed a notion of Hierarchical IdentityCoupling Broadcast Encryption (HICBE). We review its model and security definition here. For an identity ID = {id1 , id2 , . . . , idl }, we denote IDj as {id1 , id2 , . . . , idj } for 1 ≤ j ≤ l. An HICBE consists of the following algorithms. – Setup(n): on input the maximum number of users, output the public key P K and master secret key M K. – KeyGen(P K, M K, i): on input the public key P K, the master secret key M K and an index i ∈ {1, 2, . . . , n}, output the root secret key ski of user i. – Derive(P K, ski,IDl−1 , i, ID): on input the public key P K, the secret key ski,IDl−1 of user i coupling with the (l − 1)-level identity IDl−1 , an index i ∈ {1, 2, . . . , n} and an l-level identity ID, output the secret key ski,ID . – Encrypt(P K, S, ID, m): on input the public key P K, an index set S ⊆ {1, 2, . . . , n}, an identity ID and a message m, output the ciphertext C. – Decrypt(P K, ski,ID , i, S, ID, C): on input the public key P K, the secret key ski,ID , an index i, a set S, an identity ID and a ciphertext C, output the plaintext m. The selective identity-and-set security of HICBE is defined by the following game between an adversary A and a challenger. Both are given n as input. 1. Init. A picks a set S ∗ ⊆ {1, 2, . . . , n} and an identity ID∗ to be attacked. 2. Setup. Perform Setup(n) to get (P K, M K) and give P K to A. 3. Query phase 1. A can issue the following queries: – Extract(i, ID): if i ∈ / S ∗ or ID is not a prefix of ID∗ or ID∗ itself, return ski,ID ← Derive(P K, ski , i, ID) where ski ← KeyGen(P K, M K, i); otherwise, return ‘⊥’. – Decrypt(i, S, ID, C): return m ← Decrypt(P K, ski,ID , i, S, ID, C), where ski,ID ← Derive(P K, ski , i, ID), ski ← KeyGen(P K, M K, i). 4. Challenge. A presents (m0 , m1 ). Return C ∗ ← Encrypt(P K, S ∗ , ID∗ , mb ) to A, where b ∈R {0, 1}. 5. Query phase 2. A continues making queries as in Query phase 1 except that A cannot issue the decryption query on (i, S ∗ , ID, C ∗ ) such that i ∈ S ∗ and (ID = ID∗ or ID is a prefix of ID∗ ). 6. Guess. A outputs the guess b ∈ {0, 1}. We say A wins the game if b = b. The advantage of A is defined as | Pr[b = b] − 12 |. An HICBE scheme is IND-sID-sSet-CCA-secure if for any probabilistic polynomial-time algorithm A, the advantage of A in this game is negligible. The CPA security is defined in the same way as CCA security except that A is not allowed to issue the decryption queries. Attrapadung, Furukawa and Imai provided two constructions based on BGW [5] broadcast encryption. In this paper, we use the HICBE based on BB-IBE [4] to build our CPBRE constructions. The security of this HICBE can be asserted by the following theorem, details can be found in [7] and the full version of [2]. Theorem 1. Suppose the Decisional n-BDHE assumption holds. The (BGW+BB) HICBE scheme for n users is IND-sID-sSet-CCA-secure.

Conditional Proxy Broadcast Re-Encryption

2.3

331

Conditional Proxy Broadcast Re-Encryption

We define our new notion of conditional proxy broadcast re-encryption as follows. Definition 2. A conditional proxy broadcast re-encryption scheme consists of the following algorithms: – Setup(n): used for the generation of the system public key and master secret key of n users. On input the maximum number of users, output the public key P K and master secret key M K. – KeyGen(P K, M K, i): used for the generation of user i’s secret key. On input the public key P K, the master secret key M K and an index i ∈ {1, 2, . . . , n}, output the secret key ski . – Encrypt(P K, S, w, m): used for the generation of a regular ciphertext of m for the set S under condition w. On input the public key P K, an index set S ⊆ {1, 2, . . . , n}, a condition w and a message m, output the ciphertext C. – RKGen(P K, ski , S  , w): used for the generation of a re-encryption key from i to S  under condition w. On input the public key P K, the secret key ski , an index set S  and a condition w, output the re-encryption key di→S  |w . – ReEnc(P K, di→S  |w , i, S, S  , w, C): used for the generation of a re-encrypted ciphertext from C. On input the public key P K, the re-encryption key di→S  |w , the original recipient i, the original set S, the new set S  , the condition w and a ciphertext C, output the re-encrypted ciphertext CR or ‘⊥’. – Decrypt-I(P K, ski , i, S, w, C): used for the decryption of the regular ciphertext C. On input the public key P K, the secret key ski , an index i, a set S, a condition w and a ciphertext C, output the plaintext m or ‘⊥’. – Decrypt-II(P K, ski , i, i , S, S  , w, CR ): used for the decryption of the reencrypted ciphertext CR . On input the public key P K, the delegatee’s secret key ski , two indices i and i , two sets S and S  , a condition w and a reencrypted ciphertext CR , output the plaintext m or ‘⊥’. Correctness. For any integer n, any sets S and S  , any indices i ∈ S and i ∈ S  , any condition w and any message m,   Decrypt-I(P K, ski , i, S, w, C) = m : (P K, M K) ← Setup(n), Pr = 1, ski ← KeyGen(P K, M K, i), C ← Encrypt(P K, S, w, m) ⎡ ⎤ Decrypt-II(P K, ski , i, i , S, S  , w, CR ) = m : ⎢ (P K, M K) ← Setup(n), ski ← KeyGen(P K, M K, i),⎥ ⎢ ⎥ Pr ⎢ ⎥=1. ⎣ ski ← KeyGen(P K, M K, i ), di←S  |w ← RKGen(P K, ski , S  , w),⎦ C ← Encrypt(P K, S, w, m), CR ← ReEnc(P K, di←S  |w , i, S, S  , w, C)

Now, we proceed to define the security model for CPBRE. Here we consider the security in the replayable CCA sense [9,8,14]. For traditional public key cryptosystems, in such a relaxed security notion, an adversary who can simply modify a given ciphertext into another encryption of the same plaintext is not deemed successful [14]. To define the RCCA security for CPBRE systems, we

332

C.-K. Chu et al.

here disallow the adversary to ask for a decryption of any re-randomized version of the -encrypted ciphertext re-encrypted from the challenge ciphertext. Definition 3. The chosen-ciphertext security of a CPBRE scheme against a static adversary is defined by the following game between an adversary A and a challenger. Both the challenger and A are given n as input. 1. Init. A chooses a set S ∗ ⊆ {1, 2, . . . , n} and a condition w∗ that it wants to attack. 2. Setup. Perform Setup(n) to get (P K, M K) and give P K to A. 3. Query phase 1. We define the following oracles. (a) Extract(i): return ski ← KeyGen(P K, M K, i). (b) RKExtract(i, S  , w): return di→S  |w ← RKGen(P K, ski , S  , w), where ski ← KeyGen(P K, M K, i). (c) ReEncrypt(i, S, S  , w, C): return CR ← ReEnc(P K, di→S  |w , C), where di→S  |w ← RKGen(P K, ski , S  , w) and ski ← KeyGen(P K, M K, i). (d) Decrypt-I(i, S, w, C): return m ← Decrypt-I(P K, ski , i, S, w, C), where ski ← KeyGen(P K, M K, i). (e) Decrypt-II(i, i , S, S  , w, CR ): compute ski ← KeyGen(P K, M K, i ) and return m ← Decrypt-II(P K, ski , i, i , S, S  , w, CR ). A can issue these queries except – Extract(i) for any i ∈ S ∗ and – both RKExtract(i, S  , w∗ ) and Extract(i ) for any S  , i ∈ S ∗ and i ∈ S  . 4. Challenge. A presents (m0 , m1 ). Return C ∗ = Encrypt(P K, S ∗ , w∗ , mb ) to A, where b ∈R {0, 1}. 5. Query phase 2. A continues making queries as in the Query phase 1, except for the following queries – Extract(i) for any i ∈ S ∗ ; – RKExtract(i, S  , w∗ ) and Extract(i ) for any S  , i ∈ S ∗ and i ∈ S  ; – Decrypt-I(i, S ∗ , w∗ , C ∗ ) for any i ∈ S ∗ ; – ReEncrypt(i, S  , w∗ , C ∗ ) and Extract(i ) for any S  , i ∈ S ∗ and i ∈ S  ; ∗ ∗ – Decrypt-II(i, i , S ∗ , S  , w∗ , CR ) for any S  and CR , where i ∈ S ∗ , i ∈  S and ∗ Decrypt-II(P K, ski , i, i , S ∗ , S  , w∗ , CR ) ∈ {m0 , m1 }. 6. Guess. A outputs the guess b ∈ {0, 1}. We say A wins the game if b = b. The advantage of A is defined as | Pr[b = b] − 12 |. A CPBRE scheme is INDsCond-sSet-RCCA-secure if for any probabilistic polynomial-time algorithm A, the advantage of A in this game is negligible. The CPA security is defined in the same way as RCCA security except that A is not allowed to query ReEncrypt, Decrypt-I and Decrypt-II oracles, similar to the definition in [12].

3

CPA-Secure CPBRE

We start by presenting a CPA version of our final scheme. Without loss of generality, we assume a condition is always specified for every encryption.

Conditional Proxy Broadcast Re-Encryption

3.1

333

Construction

The basic CPBRE scheme is described as follows. – Setup(n). Pick a prime p and generates groups G, GT , bilinear map e and a generator g as defined in Section 2.1. Randomly choose α, γ ∈R Zp and i compute gi = g α ∈ G for i = 1, . . . , n, n + 2, . . . , 2n. Define the function F (x) = g1x h, where h ∈R G. Let H  : GT → G be a target collision resistant (TCR) hash. Compute v = g γ . Output the public/secret key: P K = (v, g, g1 , . . . , gn , gn+2 , . . . , g2n , F, H  ),

M K = γ.

– KeyGen(P K, M K, i). The private key for i is defined as ski = giγ . – Encrypt(P K, S, w, m). For the set S ⊆ {1, 2, . . . , n} and the condition w ∈ Zp , pick t ∈R Zp , the ciphertext for message m ∈ GT is output as  C = (c1 , c2 , c3 , c4 ) = (m · e(g1 , gn )t , g t , (v · gn+1−j )t , F (w)t ). j∈S 

– RKGen(P K, ski , S , w). Randomly choose s ∈ Zp , output di→S  |w = (ski · F (w)s , C  ), where C  ← Encrypt’(P K, S  , g s ), where the algorithm Encrypt’(P K, S, m) for S ⊆ {1, 2, . . . , n} and m ∈ G picks t ∈R Zp , σ ∈R GT and outputs the ciphertext as  C  = (c0 , c1 , c2 , c3 ) = (m · H  (σ), σ · e(g1 , gn )t , g t , (v · gn+1−j )t ). j∈S

– ReEnc(P K, di→S  |w , i, S, S  , w, C). Let C = (c1 , c2 , c3 , c4 ) and di→S  |w = (d, C  ). Compute  c˜1 = c1 · e(d · gn+1−j+i , c2 )/e(gi , c3 ) and c˜2 = c4 . j∈S,j =i

The re-encrypted ciphertext is output as CR = (˜ c1 , c˜2 , C  ). – Decrypt-I(P K, ski , i, S, w, C). Let C = (c1 , c2 , c3 , c4 ). Output  m = c1 · e(ski · gn+1−j+i , c2 )/e(gi , c3 ). j∈S,j =i 

– Decrypt-II(P K, ski , i, i , S, S  , w, CR ). Let CR = (˜ c1 , c˜2 , C  ) and C  =     (c0 , c1 , c2 , c3 ). Recover  e(ski · j∈S  ,j =i gn+1−j+i , c2 ) s    g ← c0 /H (c1 · ) e(gi , c3 ) and output m = c˜1 /e(g s , c˜2 ).

334

C.-K. Chu et al.

Discussion. For the regular encryption, the scheme is just the same as the underlying BGW+BB HICBE scheme, hence we enjoy a constant-size ciphertext. For the re-encryption key under condition w, we encrypt g s , one of the two elements of ski,w , under the key of the recipient set. Again, its size is independent of the number of delegatees. The same hold trues for re-encrypted ciphertext. The regular decryption procedure is proceeded in ReEnc, except for the cancellation of the term e(g s , f (w)t ). In Decrypt-II, the recipient can decrypt C  to get g s first, and then cancel e(g s , f (w)t ) to get m. Correctness. For any integer n, any sets S and S  , any indices i ∈ S and i ∈ S  , any condition w and any message m, we can see that – for Decrypt-I, c1 · e(ski · j∈S,j =i gn+1−j+i , c2 )/e(gi , c3 ) t = c1 · e(giγ · j∈S,j , (v · j∈S gn+1−j )t ) =i gn+1−j+i , g )/e(g i t t = c1 · e( j∈S,j =i gn+1−j+i , g )/e(gi , j∈S gn+1−j ) t t t = c1 /e(g, gn+1 ) = m · e(g1 , gn ) /e(g, gn+1) = m; – for Decrypt-II, c˜1 /e(g s , c˜2 ) s = (c1 · e(d · j∈S,j n+1−j+i , c2 )/e(gi , c3 ))/e(g , c4 ) =i g s s = (c1 · e(ski · F (w) · j∈S,j =i gn+1−j+i , c2 )/e(gi , c3 ))/e(g , c4 ) s s = (c1 · e(ski · j∈S,j =i gn+1−j+i , c2 )/e(gi , c3 ))e(F (w) , c2 )/e(g , c4 ) s t s t = m · e(F (w) , g )/e(g , F (w) ) (via Decrypt-I) = m. 3.2

Security

Theorem 2. Suppose the decisional n-BDHE assumption holds and H  is a TCR hash function, the basic CPBRE scheme for n users described above is IND-sCond-sSet-CPA-secure. Proof. Suppose there is an adversary A breaking our basic CPBRE scheme with non-negligible advantage. Initially, A outputs a selected set S ∗ and a selected condition w∗ . Then we construct another algorithm B breaking the underlying HICBE scheme as follows. Given the public key P K of HICBE, B simulates the security game of basic CPBRE. Initially, B prepares two tables: – EX with an index list: a track of Extract queries. – RK with columns (i, S  , w, d): d is the re-encryption key from index i to the set S  under the condition w. Moreover, we use ∗ to denote the wildcard symbol. 1. Init. B outputs S ∗ and w∗ as the target set and target identity of HICBE. 2. Setup. Choose a TCR hash function H  . B sends P K along with H  to A.

Conditional Proxy Broadcast Re-Encryption

335

3. Query phase 1. B answers the following queries issued by A: (a) Extract(i): if i ∈ S ∗ , or (j, S  , w∗ , ∗) exists in the RK table, where j ∈ S ∗ , i ∈ S  , B responds ‘⊥’. Otherwise, B forwards the query to the key extraction oracle of HICBE, and responds the received ski . B records i in the EX table. (b) RKExtract(i, S  , w): if there is a tuple (i, S  , w, di→S  |w ) in the RK table, B responds di→S  |w to A. Otherwise, we have the following cases: – i ∈ / S ∗ or w  = w∗ : B queries i’s secret key under identity w from the challenger of HICBE, and responds the re-encryption key as the real scheme (except that g s is given by the challenger). B records the tuple (i, S  , w, di→S  |w ) in the RK table. – i ∈ S ∗ , w = w∗ and S  ∩ EX  = ∅: B responds ‘⊥’. – i ∈ S ∗ and w = w∗ , but S  ∩EX = ∅: B picks d, d ∈R G and responds a random re-encryption key di→S  |w = (d, Encrypt’(P K, S  , d )). B records the tuple (i, S  , w, di→S  |w ) in the RK table. 4. Challenge. A sends (m0 , m1 ) to B. B forwards it to the challenger of HICBE. When the challenger returns ciphertext C ∗ , B responds C ∗ to A. 5. Query phase 2. B responds A’s queries as in phase 1. 6. Guess. When A outputs the guess b , B outputs b . We can see that B successfully simulates A’s view in the attack except for a case of re-encryption key queries (when i ∈ S ∗ and w = w∗ ). For a randomly chosen key di→S  |w = (d, C  ), there must be a value s ∈ Zp such that d =  ski · F (w)s . Therefore the problem is equivalent to the indistinguishability of  C  and the encryption of some value g s . This is implied by the CPA security of HICBE and the TCR hash function. So, B has non-negligible advantage in breaking the HICBE scheme. By Theorem 1, B has non-negligible advantage in breaking the decisional n-BDHE assumption.  Note that our constructions can withstand the below attack mentioned in [16]. Chain collusion attack. Suppose Alice is the attack target in a proxy re-encryption scheme. Although the adversary A cannot get the re-encryption key from Alice to Bob and Bob’s private key at the same time, A can get the re-encryption key from Bob to Carol and Carol’s private key instead. If Bob’s private key can be derived with these two keys, then Alice’s private key can be derived as well by just asking for the re-encryption key from Alice to Bob. In our constructions, we assume a condition w for each encryption. It means all re-encryption keys given to the proxy are coupled with a condition. The collusion of the proxy and the delegatee can recover the decryption key for some condition only. However, the ciphertext C  in the re-encryption key can be decrypted by the root private key only. So the above attack cannot be applied.

4

RCCA-Secure CPBRE

The RCCA-secure CPBRE scheme follows the structure of the basic CPBRE. However, it is challenging to design a RCCA-secure CPBRE scheme because it

336

C.-K. Chu et al.

involves two kinds of secret keys (regular decryption keys and re-encryption keys) and two kinds of ciphertexts (regular ciphertexts and re-encrypted ciphertexts). Again, we assume a condition is always specified for every encryption. 4.1

Construction

– Setup(n). Pick a prime p and generates groups G, GT , bilinear map e and i a generator g. Randomly choose α, γ ∈R Zp and compute gi = g α ∈ G for i = 1, . . . , n, n+2, . . . , 2n. Define the functions bit(i, x) be the i-th bit of a bit string x, F1 (x) = g1x h1 and F2 (x) = u ui bit(i,x) where h1 , u, u1 , · · · , uη ∈R G Let H : {0, 1}∗ → Zp and H  : GT → G be two TCR hash functions. Compute v = g γ . Output the public key and the secret key: P K = (v, g, g1 , . . . , gn , gn+2 , . . . , g2n , F1 , F2 , H, H  ),

M K = γ.

– KeyGen(P K, M K, i). The private key for i is defined as ski = giγ . – Encrypt(P K, S, w, m). For the set S ⊆ {1, 2, . . . , n} and the condition w ∈ Zp , the ciphertext for message m ∈ GT can be output as  C = (c1 , c2 , c3 , c4 , c5 ) = (m · e(g1 , gn )t , g t , (v · gn+1−j )t , F1 (w)t , F2 (h)t ), j∈S

where t ∈R Zp and h = H(c1 , c2 , c3 , c4 ). – RKGen(P K, ski , S  , w). Pick s ∈R Zp . Output the re-encryption key as di→S  |w = (ski · F1 (w)s , C  ), where C  ← Encrypt’(P K, S  , g s ). The algorithm Encrypt’(P K, S, m) for S ⊆ {1, 2, . . . , n} and m ∈ G outputs  C  = (c0 , c1 , c2 , c3 , c4 ) = (m·H  (σ), σ·e(g1 , gn )t , g t , (v· gn+1−j )t , F2 (h )t ), j∈S

where t ∈R Zp , σ ∈R GT and h = H(c0 , c1 , c2 , c3 ). – ReEnc(P K, di→S  |w , i, S, S  , w, C). Let C = (c1 , c2 , c3 , c4 , c5 ) and di→S  |w = (d, C  ). Compute h = H(c1 , c2 , c3 , c4 ). Check that e(c2 , v ·

j∈S

?

?

?

gn+1−j ) = e(g, c3 ), e(c2 , F2 (h)) = e(g, c5 ), e(c2 , F1 (w)) = e(g, c4 ).

If any of the equations does not hold or i ∈ / S, output ‘⊥’. Otherwise, compute   d1 = d · F2 (h)s , and d2 = g s . Output the re-encrypted ciphertext CR = (C, C  , d1 , d2 ).

Conditional Proxy Broadcast Re-Encryption

337

– Decrypt-I(P K, ski , i, S, w, C). Let C = (c1 , c2 , c3 , c4 , c5 ). Compute h = H(c1 , c2 , c3 , c4 ) and check that ? ? ? e(c2 , v · j∈S gn+1−j ) = e(g, c3 ), e(c2 , F2 (h)) = e(g, c5 ), e(c2 , F1 (w)) = e(g, c4 ). If any of the equations does not hold or i ∈ / S, output ‘⊥’. Otherwise, output e(ski · j∈S,j =i gn+1−j+i , c2 ) m = c1 · . e(gi , c3 ) – Decrypt-II(P K, ski , i, i , S, S  , w, CR ). Let CR = (C, C  , d1 , d2 ) where C = (c1 , c2 , c3 , c4 , c5 ) and C  = (c0 , c1 , c2 , c3 , c4 ). Compute h = H(c1 , c2 , c3 , c4 ) and h = H(c0 , c1 , c2 , c3 ). Check that ? ? e(c2 , v · j∈S gn+1−j ) = e(g, c3 ), e(c2 , v · j∈S  gn+1−j ) = e(g, c3 ) ? ? (1) e(c2 , F1 (w)) = e(g, c4 ), e(c2 , F2 (h)) = e(g, c5 ), ?

e(c2 , F2 (h )) = e(g, c4 ) and i ∈ S. If any of the equations does not hold, output ‘⊥’. Otherwise, perform  e(ski · j∈S  ,j =i gn+1−j+i , c2 ) s    g = c0 /H (c1 · ).  e(gi , c3 ) and check that e(d1 , g) = e(gi , v)e(F1 (w), g s )e(F2 (h), d2 ). ?

(2)

If the equation does not hold, output ‘⊥’. Otherwise output e(d1 · j∈S,j =i gn+1−j+i , c2 ) m = c1 · . e(gi , c3 )e(g s , c4 )e(d2 , c5 ) Correctness. The decryption of regular ciphertexts is just the same as our basic CPBRE. For the re-encrypted ciphertexts, we first check the decryption of C  : e(sk  ·







g

 ,c



)

i n+1−j+i 2 j∈S ,j=i c0 /H  (c1 · ) e(gi ,c3 ) γ    t t  = c0 /H (c1 · e(gi · j∈S  ,j g ,  i , (v · =i n+1−j+i g )/e(g j∈S  gn+1−j ) ))    t t = c0 /H (c1 · e( j∈S  ,j =i gn+1−j+i , g )/e(gi , j∈S  gn+1−j )) t t = c0 /H  (c1 /e(g, gn+1 )) = g s · H  (σ)/H  (σ · e(g1 , gn )t /e(g, gn+1 )) = g s .

Once g s is correctly computed, we can compute the message: c1 ·

e(d1 · j∈S,j=i gn+1−j+i ,c2 ) (e(gi ,c3 )e(gs ,c4 )e(d2 ,c5 ))  e(giγ F1 (w)s F2 (h)s · j∈S,j=i gn+1−j+i ,gt )

= c1 · s t s t (e(g i ,c3 )e(g ,F1 (w) )e(g ,F2 (h) )) t t = c1 · e(giγ · j∈S,j g , g )/e(g n+1−j+i i , (v · =i j∈S gn+1−j ) ) t t = c1 · e( j∈S,j =i gn+1−j+i , g )/e(gi , j∈S gn+1−j ) t t = c1 /e(g, gn+1 ) = m · e(g1 , gn )t /e(g, gn+1 ) = m; Moreover, it is easy to verify the checking equations are correct. Therefore the correctness of this construction holds.

338

4.2

C.-K. Chu et al.

Security

In this scheme, we get the RCCA security from the conversion technique of [7]. The scheme involves one more identity level for hash values. This ensures C and C  will not be modified. We did not check the integrity of the re-encrypted ciphertext as a whole. but we use Equation 1 and Equation 2 to check the validity of C, C  , d1 , d2 and their relationships to i, S, w. In Lemma 1, we show that if all of these equations hold, C will be decrypted to the original message by d1 , d2 and g s encrypted in C  . Therefore, the challenger is able to reject any re-randomization of the re-encrypted ciphertexts or any re-encryption of the challenge ciphertext. Lemma 1. If a re-encrypted ciphertext CR = (C, C  , d1 , d2 ) passes Equation 1 and 2, then CR will be decrypted to the same message as the decryption of C. Proof. By Equation 1, we know that C is indeed an encryption under the set S coupling with identity w, C  is an encryption under the set S  , and i ∈ S. Then Equation 2 implies that CR will be decrypted to the same message as the decryption of C, since c1 · = c1 · = c1 · = c1 ·

e(d1 · j∈S,j=i gn+1−j+i ,c2 )  s e(gi ,c 3 )e(g ,c4 )e(d2 ,c5 ) e(d1 · j∈S,j=i gn+1−j+i ,gt ) e( j∈S,j=i gn+1−j+i ,gt )e(d1 ,g)t = c ·  s t t 1 e(gi ,c3 )e(gs ,F1 (w)t )e(d ,F2 (h)t ) e(g 2 i ,c3 )e(g ,F1 (w) )e(d2 ,F2 (h) ) e( j∈S,j=i gn+1−j+i ,gt )e(gi ,v)t e(F1 (w),gs )t e(F2 (h),d2 )t (by Equation  s t t e(gi ,c3 )e(g ,F1 (w) )e(d2 ,F2 (h) ) e( j∈S,j=i gn+1−j+i ,gt )e(gi ,v)t e(ski · j∈S,j=i gn+1−j+i ,c2 ) = c1 · . e(gi ,c3 ) e(gi ,c3 )

2) 

Theorem 3. Suppose the decisional n-BDHE assumption holds and H, H  are two TCR hash functions, the CPBRE scheme for n users described above is IND-sCond-sSet-RCCA-secure. Proof. Suppose there is an adversary A breaking our CPBRE scheme with non-negligible advantage. Initially, A outputs a selected set S ∗ and a selected condition w∗ . Then we construct another algorithm B breaking the underlying CCA-secure HICBE scheme (CCA-HICBE) as follows. Given the public key P K of CCA-HICBE, B simulates the RCCA game of CPBRE. Initially, B prepares the following tables: – EX with (i): a track of Extract queries. – RK with columns (i, S  , w, d, C  , g s , br , bq ): the records of re-encryption key (d, C  ) returned by B, where C  ← Encrypt’(P K, S  , g s ); br and bq indicate whether the key is randomly chosen or output by RKExtract oracle. – RE with column (S  ): a track of ReEncrypt(i, S, S  , w∗ , C ∗ ) queries, where i ∈ S ∗ and C ∗ is the challenge ciphertext. We use ∗ to denote the wildcard symbol. Note that the intermediate ciphertext C  with a different form cannot be issued to Decrypt oracle.

Conditional Proxy Broadcast Re-Encryption

339

1. Init. B outputs S ∗ and w∗ as the target set and identity of CCA-HICBE. 2. Setup. Pick a TCR hash function H  . B sends P K along with H  to A. 3. Query phase 1. B answers the following queries issued by A: (a) Extract(i): if i ∈ S ∗ , or (j, S  , w∗ , ∗, ∗, ∗, ∗, 1) exists in the RK table, where j ∈ S ∗ , i ∈ S  , B responds ‘⊥’. Otherwise, B forwards the query to the key extraction oracle of CCA-HICBE, and responds the received ski . B records i in the EX table. (b) RKExtract(i, S  , w): if there is a tuple (i, S  , w, d, C  , g s , ∗, ∗, 1) in the RK table, B responds (d, C  ) to A. Otherwise, B answers the re-encryption key for the following cases: – i ∈ / S ∗ or w  = w∗ : B queries i’s secret key under identity w from the challenger of CCA-HICBE, and computes and responds the reencryption key (d, C  ) as the real scheme (except that g s is given by the challenger). B records (j, S  , w∗ , d, C  , g s , 0, 1) on RK. – i ∈ S ∗ , w = w∗ and S  ∩ EX  = ∅: B responds ‘⊥’. – i ∈ S ∗ and w = w∗ , but S  ∩ EX = ∅: if the RK table contains (i, S  , w, d, C  , g s , 1, 0), B responds (d, C  ) to A and sets bq of this tuple to 1. Otherwise, B responds a random re-encryption key (d, C  ), where d is randomly chosen from G and C  ← Encrypt’(P K, S  , g s ) for some random s ∈ Zp . B records the tuple (i, S  , w, d, C  , g s , 1, 1) in the RK table. Note that in this case, any Extract(i ) query for i ∈ S  is forbidden, so the re-encryption key cannot be verified. (c) ReEncrypt(i, S, S  , w, C): B proceeds depending on the following cases: – i∈ / S ∗ or w  = w∗ : if there is no tuple (i, S  , w, ∗, ∗, ∗, ∗, ∗) on RK, B performs RKExtract(i, S  , w) to get the re-encryption key (d, C  ) and records (i, S  , w∗ , d, C  , g s , 0, 0) on RK. Then B re-encrypts C using the re-encryption key on RK as in the real scheme. – i ∈ S ∗ , w = w∗ : if (i, S  , w, ∗, ∗, ∗, 1, 1) exists on RK, B re-encrypts C using the re-encryption key on RK as in the real scheme. Otherwise, B issues the key extraction query on (i, (w, h)) to the challenger of CCA-HICBE where h = H(c1 , c2 , c3 , c4 ), and gets back the pri  vate key (d1 , d2 , d3 ) = (ski F1 (w)s F2 (h)s , g s , g s ). Then B computes C  = Encrypt’(P K, S  , d2 ) and responds (C, C  , d1 , d3 ). B records (i, S  , w∗ , d, C  , d2 , 1, 0) on RK, where d ∈R G. (d) Decrypt-I(i, S, w, C): B forwards (i, S, w, C) to the decryption oracle of CCA-HICBE and responds the result to A. (e) Decrypt-II(i, i , S, S  , w, CR ): let CR = (C, C  , d1 , d2 ). B issues C  to the decryption oracle of CCA-HICBE scheme to obtain g s first1 . If the result is ‘⊥’, B responds ‘⊥’ as well. For (i, S  , w), check whether there 1

We cannot issue C  to the decryption oracle of CCA-HICBE directly. However, we can modify the CCA-HICBE scheme (removing the ID part and adding the TCR part) to get a new scheme which encrypts messages as in Encrypt’. The resulting scheme is like another way of making the BGW [5] scheme CCA-secure using the conversion technique of [7]. It is easy to show that the obtained scheme is IND-sSetCCA secure assuming the decisional n-BDHE assumption and a TCR hash function.

340

C.-K. Chu et al.

ˆ C, ˆ g s , 1, 1) on RK. If there does not exist such exists a tuple (i, S  , w, d, tuple, B decrypts the ciphertext as in the real scheme. Otherwise, check ? ? ˆ ˆ g)e(F2 (h), d ) and C  = e(d1 , g) = e(d, C. 2

If both equations hold, CR is re-encrypted by the random re-encryption key given by B. So B issues a query (i, S, w, C) to the decryption oracle of CCA-HICBE and responds the result to A. Otherwise, B decrypts the ciphertext as in the real scheme. 4. Challenge. A sends (m0 , m1 ) to B. B forwards it to the challenger of CCAHICBE. When the challenger returns ciphertext C ∗ , B responds C ∗ to A. 5. Query phase 2. A continues making the following queries as in phase 1, except for the restrictions described in the definition. (a) Extract(i): If i ∈ S  for some S  on RE, B responds ‘⊥’. Otherwise, B responds the queries as in Query phase 1. (b) RKExtract(i, S  , w): B responds as in Query phase 1. (c) ReEncrypt(i, S, S  , w, C): If C = C ∗ , S = S ∗ , w = w∗ , i ∈ S and S  ∩ EX  = ∅, B responds ‘⊥’. Otherwise, B responds the queries as in Query phase 1. B records S  on RE if it did not respond ‘⊥’ and C = C ∗ . (d) Decrypt-I(i, S, w, C): If if C = C ∗ , S = S ∗ , w = w∗ and i ∈ S, B responds ‘⊥’. Otherwise, B responds the queries as in Query phase 1. (e) Decrypt-II(i, i , S, S  , w, CR ): let CR = (C, C  , d1 , d2 ). B responds the queries as in Query phase 1 except for the case C = C ∗ , S = S ∗ , w = w∗ and i ∈ S. For the latter case, B simply responds with ‘⊥’. We explain this by considering the following two cases for i ∈ S: – CR does not pass Equation 1 or 2: B should return ‘⊥’. – CR passes Equation 1 and 2: by Lemma 1, CR must be decrypted into mb . According to our security definition, this query is forbidden. 6. Guess. When A outputs the guess b , B outputs b . A is successfully simulated except for randomly chosen re-encryption keys. For a randomly chosen re-encryption key (d, C  ), there must be a value s ∈ Zp such  that d = ski · F (w)s . Therefore the distinguishability of these keys is equivalent  to the distinguishability of C  and the encryption of some value g s . By the CCA security of CCA-HICBE and the TCR hash function, this distinguishability is negligible. Moreover, if A uses a randomly chosen re-encryption key to reencrypt a ciphertext and issues it to Decrypt-II oracle, B can make a decryption query on the original ciphertext and respond with a correct message. So, B has non-negligible advantage in breaking the CCA-HICBE, and hence breaking the decisional n-BDHE assumption, by Theorem 1. 

5

RCCA-Secure Identity-Based Proxy Re-Encryption

Since CPBRE is a generalization of PRE, we can build RCCA-secure IB-PRE from our RCCA-secure CPBRE by letting the broadcast size be 1 and w be user ID. We briefly explain the changes here. Details are deferred to the full paper.

Conditional Proxy Broadcast Re-Encryption

341

The key generation center executes Setup. For user key generation, each user gets a 1-level secret key (g1γ F1 (id)s , g s ) for his identity id. Everyone has to encrypt a message under a 2-level identity: recipient’s identity and a dummy identity t. In RKGen, g s is encrypted under the recipient’s (1-level) identity. Then a proxy colluding with a third party can only get the decryption key of delegator’s 2-level identity, which cannot be used to get g s . In short, a user Alice with the secret key (g1γ F1 (“Alice”)s , g s ) delegates the  decryption right to Bob by giving the re-encryption key (g1γ F1 (“Alice”)s F2 (t)s ,  Encrypt’(P K, “Bob”, g s ), g s ) to a proxy. The proxy re-encrypts an Alice’s ciphertext C in the form (C, C  , d1 , d2 ). Then Bob can use his own secret key   (g1γ F1 (“Bob”)s , g s ) to decrypt C  first, and get the decryption of C. The security proof is almost the same as that for the RCCA-secure CPBRE scheme. We say that a PRE scheme is multi-use if the proxy can re-encrypt a ciphertext multiple times, e.g. re-encrypt from Alice to Bob, then re-encrypt the result from Bob to Carol. To do that in our construction, the proxy only needs to re-encrypt C  to further transform the re-encrypted ciphertext.

6

Conclusions

We introduce conditional proxy broadcast re-encryption, which allows a user to delegate the decryption rights of ciphertexts to a group of users, restricted to a certain condition, via the help of a proxy. Our final scheme is unidirectional and secure against replayable chosen-ciphertext attacks in the standard model, which also gives a unidirectional ID-based proxy re-encryption scheme.

Acknowledgement Thanks to Junzuo Lai for the discussion that improves our initial construction.

References 1. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2005). The Internet Society (2005) 2. Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcast encryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006) 3. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998) 4. Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)

342

C.-K. Chu et al.

5. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005) 6. Boneh, D., Goh, E.-J., Matsuo, T.: Proposal for P1363.3 proxy re-encryption (2006), http://grouper.ieee.org/groups/1363/IBC/submissions 7. Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identitybased techniques. In: Proceedings of the 12th ACM Conference on Computer and Communications Security - CCS 2005, pp. 320–329. ACM Press, New York (2005) 8. Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007), pp. 185–194. ACM Press, New York (2007) 9. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003) 10. Chu, C.-K., Tzeng, W.-G.: Identity-based proxy re-encryption without random oracles. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 189–202. Springer, Heidelberg (2007) 11. Deng, R.H., Weng, J., Liu, S., Chen, K.: Chosen-ciphertext secure proxy reencryption without pairings. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 1–17. Springer, Heidelberg (2008) 12. Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007) 13. Libert, B., Vergnaud, D.: Tracing malicious proxies in proxy re-encryption. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 332– 353. Springer, Heidelberg (2008) 14. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy reencryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008) 15. Matsuo, T.: Proxy re-encryption systems for identity-based encryption. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 247–267. Springer, Heidelberg (2007) 16. Shao, J., Cao, Z.: CCA-secure proxy re-encryption without pairings. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 357–376. Springer, Heidelberg (2009) 17. Tang, Q.: Type-based proxy re-encryption and its construction. In: Soomaruga, G. (ed.) Formal Theories of Information. LNCS, vol. 5363, pp. 130–134. Springer, Heidelberg (2008) 18. Weng, J., Deng, R.H., Ding, X., Chu, C.-K., Lai, J.: Conditional proxy reencryption secure against chosen-ciphertext attack. In: Proceedings of ACM Symposium on Information, Computer & Communication Security (ASIACCS 2009). ACM Press, New York (to appear, 2009) 19. Weng, J., Deng, R.H., Liu, S., Chen, K., Lai, J., Wang, X.: Chosen-ciphertext secure proxy re-encryption schemes without pairings. Technical report, Cryptology ePrint Archive: Report 2008/509 (Version 3) (2008)

Security on Hybrid Encryption with the Tag-KEM/DEM Framework Toshihide Matsuda1 , Ryo Nishimaki2 , Akira Numayama1, and Keisuke Tanaka1 1

Tokyo Institute of Technology W8-55, 2-12-1 Ookayama Meguro-ku, Tokyo 152-8552, Japan {matsuda5,keisuke,numayam4}@is.titech.ac.jp 2 NTT Laboratories, 3-9-11 Midori-cho Musashino-shi Tokyo 180-8585, Japan [email protected]

Abstract. The tag-KEM/DEM framework has been proposed by Abe, Gennaro, Kurosawa, and Shoup to explain why the Kurosawa-Desmedt PKE is secure in the sense of IND-CCA2, yet the KEM part are not secure in the sense of IND-CCA2. They have concluded that the Kurosawa-Desmedt KEM satisfies the IND-CCA2 security for tag-KEM. They have shown that an IND-CCA2 secure PKE system can be constructed from an IND-CCA2 tag-KEM system and an IND-OT secure DEM system. Herranz, Hofheinz and Kiltz have shown the necessary and sufficient conditions for the KEM/DEM framework. They also have studied implications and separations among the security notions of KEM. In this paper, we study the necessary and sufficient conditions for the tagKEM/DEM framework. Moreover, we study implications and separations among the security notions of tag-KEM. By these studies, we show gaps between KEM and tag-KEM about weak and strong non-malleability with respect to the necessary and sufficient conditions in order to obtain the same security levels.

1 Introduction 1.1 Background An important task of cryptography is to transmit messages safely through a public channel. For this purpose, there exist two ways, i.e., public-key encryption (PKE) systems and symmetric-key encryption (SKE) systems. Hybrid encryption systems are constructed from the combination from both sides, which are employed to utilize the advantage of both of them. In these systems, a ciphertext consists of two parts: a ciphertext of a symmetric key with the public-key encryption system and a ciphertext of the message with the symmetric-key encryption system by using the symmetric key. Constructions of hybrid encryption systems have been improved and formalized as key encapsulation mechanism (KEM) and data encapsulation mechanism (DEM) by Cramer and Shoup [4,10]. In the KEM/DEM framework, if the KEM and DEM systems are secure in the sense of IND-CCA2, then the hybrid encryption system is also secure in the sense of INDCCA2 [4]. It was believed that these conditions were necessary and sufficient. However, Kurosawa and Desmedt have constructed a hybrid encryption system such that the C. Boyd and J. Gonz´alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 343–359, 2009. c Springer-Verlag Berlin Heidelberg 2009 

344

T. Matsuda et al.

KEM system does not satisfy the IND-CCA2 security, but the hybrid encryption system constructed from it satisfies the IND-CCA2 security [7,6]. Abe, Gennaro, Kurosawa, and Shoup have proposed the tag-KEM/DEM framework in order to formalize the security notions that the Kurosawa-Desmedt hybrid encryption system satisfies[1]. The tag-KEM/DEM framework applies the output of DEM to the input of tag-KEM as a tag. In this framework, if the tag-KEM system satisfies the IND-CCA2 security and the DEM system satisfies the IND-OT security, the hybrid encryption system is secure in the sense of IND-CCA2. They explained why the Kurosawa-Desmedt system satisfies the IND-CCA2 security within the tag-KEM/DEM framework. Herranz, Hofheinz, and Kiltz [5] have classified the security notions of KEM into nine security notions, IND-{CPA, CCA1, CCA2}, wNM-{CPA, CCA1, CCA2}, sNM{CPA,CCA1,CCA2}, and the security notions of DEM into ten security notions, IND{OT, CPA, CCA1, OTCCA2, CCA2}, NM-{OT, CPA, CCA1, OTCCA2, CCA2}. They have analyzed implications and separations among these security notions, and shown the necessary and sufficient conditions for the security levels of the hybrid encryption systems. 1.2 Motivations It is not clear the necessary and sufficient conditions for the tag-KEM/DEM framework, in contrast to the KEM/DEM framework [5]. There are differences between the KEM/DEM framework and the tag-KEM/DEM framework as illustrated by the Kurosawa-Desmedt system, for example. Therefore, it is important to study the necessary and sufficient conditions for the tag-KEM/DEM framework and to understand the differences between the KEM/DEM and the tag-KEM/DEM frameworks for several security notions. In the contrast to the KEM/DEM framework, we may not need strong security notions to construct a hybrid encryption system which satisfies a certain security notion with the tag-KEM/DEM framework. 1.3 Our Contributions (1) We define the security notions on non-malleability for tag-KEM, i.e. weak nonmalleability (wNM), comparison non-malleability (CNM), and simulation nonmalleability (SNM), by following the definitions of KEM [5,8]. We define, in addition to the above notions, the security notion related to non-malleability for tag-KEM, i.e. indistinguishability under parallel chosen ciphertext attack based on non-malleability (PNM), by following the definitions of KEM [8]. (2) We prove the equivalence among the CNM-ATK security, the SNM-ATK security, and the PNM-ATK security for tag-KEM, as in the case of KEM [8]. We call these security notions strong non-malleability(sNM). We note that the wNM-ATK security is not equal to the sNM-ATK security. (3) We analyze implications and separations between each pair of the security notions on tag-KEM, as in the case of KEM [5]. This result is described in Fig. 1. (4) We study the necessary and sufficient conditions for the security level of the hybrid encryption system with the tag-KEM/DEM framework, as in the case of KEM [5]. This result is described in Fig. 2.

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

sNM-CPA

sNM-CCA1

sNM-CCA1.5

sNM-CCA2

IND-CPA

IND-CCA1

IND-CCA1.5

IND-CCA2

wNM-CPA

wNM-CCA1

wNM-CCA1.5

wNM-CCA2

345

Fig. 1. Relations among the security notions of tag-KEMs

IND-{OT,CCA2} DEM wNM-{CPA, CCA1, CCA1.5, CCA2} tag- < IND-CPA PKE (Theorem 7) KEM

√

IND-CPA tag-KEM

≥ IND-CPA PKE (This is trivial from [1].) < NM-CPA, IND-CCA1 PKE

sNM-CPA tag-KEM

√ ≥ NM-CPA PKE (Theorem 6) < IND-CCA1 PKE (the proof in the full paper)

IND-{CCA1,CCA1.5} tag-KEM

≥ IND-CCA1 PKE (This is trivial from [1].) < NM-CPA PKE (the proof in the full paper)

sNM-{CCA1,CCA1.5} tag-KEM

√ ≥ NM-CCA1 PKE (Theorem 6) < IND-CCA2 PKE (the proof in the full paper)

IND-CCA2 tag-KEM

≥ IND-CCA2 PKE [1]



Fig. 2. Necessary and sufficient conditions for hybrid encryptions

In Fig. 1, solid arrows from X to Y mean that every tag-KEM system which satisfies the security notion X also satisfies the security notion Y. Dotted arrows from X to Y means that the security notion X always implies the security notion Y in the case of KEM system. “X  Y” means that the security notion X does not always imply the security notion Y. From Fig. 1, for each two notions, an implication or a separation can be derived.

346

T. Matsuda et al.

In Fig. 2, the symbol ≥ means that, for any combination of tag-KEM and DEM with security notions in the cells, the hybrid encryption system from them satisfies the security notions in the cells. The symbol < means that there exists a certain combination of tag-KEM and DEM with the security notions in the cells, such that PKE from them does not satisfy the security notions in the cells. The mark  indicates a known result. √ The mark indicates our contributions. Definitions of the Security Notions on Tag-KEM. We define the security notions on non-malleability for tag-KEM, i.e. weak non-malleability (wNM), comparison nonmalleability (CNM), and simulation non-malleability (SNM), by following the definitions of KEM [5,8]. We define, in addition to the above notions, the security notion related to non-malleability for tag-KEM, i.e. indistinguishability under parallel chosen ciphertext attack based on non-malleability (PNM). We only consider adversaries which are non-copying in experiments about nonmalleability for tag-KEM (resp. PKE): In each experiment of non-malleability for tagKEM (resp. PKE), adversary does not output the same encapsulation and tag (resp. ciphertext) as the challenge encapsulation and tag (resp. ciphertext). It was proved that three definitions, except for weak non-malleability, are equivalent in the case of publickey encryption systems and KEM for non-copying adversaries [2,3,8]. We prove these equivalence on tag-KEM for non-copying adversaries, and call these security notions strong non-malleability (sNM). We note that three definitions for copying adversaries are not equivalent in the case of PKE [9]. In contrast to the definitions of the security notions for KEM and PKE which are formalized in two stages, the definitions of the security notions for tag-KEM are formalized in three stages. So, we classify the attacks into four types, i.e. CPA, CCA1, CCA1.5, and CCA2. These notions of the security are classified by the adversary’s access to the decryption oracle in each stage. Furthermore, we classify the goals into IND, sNM, and wNM as in the case of KEM [5]. Consequently, the notions of the security are classified into twelve types as in Fig. 1. The security notion of CPA is that the adversary does not always have access to the decryption oracle, and the security notion of CCA2 is that the adversary always has access to the decryption oracle without sending to the challenge ciphertext. The security notions of CCA1 and CCA1.5 is limited with access to the decryption oracle. The former can access the decryption oracle only in the first stage, and cannot in the second and third stages. The latter can access the decryption oracle only in the first and second stages, and cannot in the third stage. Implications and Separations among the Security Notions on the Tag-KEM. In the case of KEM, the wNM-{CPA, CCA1} security implies the IND-{CPA, CCA1} security and the inverse implication does not hold1 . In other words, the wNM-{CPA, CCA1} security is a strictly stronger security notion than the IND-{CPA, CCA1} security. In contrast, in the case of tag-KEM, these implications do not hold. That is, even the wNM-CCA2 security does not imply the IND-CPA security in the case of tagKEM. The wNM-CCA2 security does not also imply the sNM-CPA security in the 1

The wNM-CCA2 security does not always imply the IND-CCA2 security, even for KEM.

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

347

cases of both KEM and tag-KEM. The other implications are almost similar in the case of KEM [5].

Sufficient and Necessary Conditions for Hybrid Encryption Systems. Let KEM, TKEM, and DEM denote a KEM system, a tag-KEM system, and a DEM system, respectively. Let PKEKEM,DEM denote a hybrid encryption system which consists of KEM and DEM with the KEM/DEM framework. Let PKETKEM,DEM denote a hybrid encryption system which consists of TKEM and DEM with the tag-KEM/DEM framework. In the case of the KEM/DEM framework, it is known that the sufficient and necessary conditions for the security of the hybrid encryption systems [5]. However, in the case of the tag-KEM/DEM framework, it is only known that if TKEM satisfies the IND-CCA2 security and DEM satisfies the IND-OT security, PKETKEM,DEM satisfies the IND-CCA2 security [1]. We make it clear the characterization of the other security notions for the tagKEM/DEM framework with the twelve notions of tag-KEM and two notions of DEM. That is, when a tag-KEM system satisfies a certain security notion and a DEM system satisfies a certain security notion, we characterize the security notions that the hybrid encryption systems satisfy. We consider only the two security notions IND-{OT, CCA2} on DEM. The reason is that the IND-OT security is considered as the weakest security notion and the IND-CCA2 security is considered as the strongest security notion. The IND-OT security gives a lower bound on the security level of the hybrid encryption system with tag-KEM/DEM framework, and the IND-CCA2 security gives an upper bound on the security level of the hybrid encryption system. Another reason is that the security level of hybrid encryption systems from the tag-KEM/DEM framework is hardly affected by the security level of DEM as shown in Fig. 2.

Discussion on the Gap between KEM/DEM and Tag-KEM/DEM An example was shown that there exists PKEKEM,DEM which does not always satisfy the IND-CCA2 security even if KEM satisfies the IND-CCA2 security and DEM satisfies the IND-OT security [5]. As far as we know, this is the first result on the gap between the KEM/DEM and the tag-KEM/DEM frameworks. We describe this gap as indicated by the mark  in Fig. 2. Nagao, Manabe, and Okamoto have proposed the security notions of nonmalleability for KEM [8]. Herranz et al. called those notions strong non-malleability (sNM) [5]. They showed that PKEKEM,DEM may not be NM-{CPA, CCA1} secure in the KEM/DEM framework, even if KEM is sNM-{CPA, CCA1} secure and DEM is IND-OT secure. In contrast, we show that PKETKEM,DEM is NM-{CPA, CCA1} secure in the tag-KEM/DEM framework, if TKEM is sNM-{CPA, CCA1} secure and DEM is IND-OT secure. We prove that there exists TKEM and DEM such that PKETKEM,DEM is not secure in the sense of the IND-CPA security even if TKEM satisfies the wNM-CCA2 security and DEM satisfies the IND-CCA2 security. This gap between KEM and tag-KEM depends on their different structures for a tag.

348

T. Matsuda et al.

We simply define the wNM security on tag-KEM by following the definition in the case of KEM from [5] and obtain the negative fact on the wNM security (i.e. wNMCCA2 tag-KEM + IND-CCA2 DEM  IND-CPA PKE). This security notion does not seem to grasp suitably the notion of non-malleability in the case of the tag-KEM/DEM framework. It may be interesting to consider other security notions which have weaker properties than the properties of the sNM security and adequately grasp the notion of non-malleability. The most noticeable result in this paper is the fact that, if a tag-KEM system satisfies the sNM-{CPA,CCA1} security and a DEM system satisfies the IND-OT security then the PKE system with the tag-KEM/DEM framework satisfies the NM-{CPA,CCA1} security. The reason is that this fact shows the essential differences between the tagKEM/DEM framework and the KEM/DEM framework. The other sufficient and necessary conditions for the hybrid encryption system are almost similar to [5], and their proofs are almost similar to [5]. 1.4 Organization In Section 2, we review some definitions of tag-KEM, DEM, and PKE. Then, we recall the tag-KEM/DEM framework. In Section 3, we define the security notions on tag-KEM, i.e. the wNM security, the CNM security, the SNM security, and the PNM security. In Section 4, we present three theorems. One of them means the equivalence on the CNM security, the SNM security, and the PNM security. The others mean the difference between the KEM/DEM and the tag-KEM/DEM frameworks. One theorem is positive and the other is negative. In Section 5, we give their proof sketches.

2 Preliminaries Notations If k ∈ N then 1k denote the string of k ones. If S is a set then s ← S represents an operation of picking an element s in S at uniformly random. We write l-dimensional vectors as ai li=1 = (a1 , a2 , . . . , al ) and similarly ai , bi li=1 = ((a1 , b1 ), (a2 , b2 ), . . . , (al , bl )). We write y ← A(x1 , x2 , · · · , xn ) to indicate that A is a probabilistic algorithm which receives n inputs x1 , x2 , · · · , xn and then outputs y. In the case that an algorithm A has access to oracles O1 (·), O2 (·), · · · , Om (·), we write it as AO1 (·),O2 (·),··· ,Om (·) (x1 , x2 , · · · , xn ). Requirement of Adversaries in each Experiment We only consider adversaries which are legitimate in each experiment for tag-KEM (resp. DEM and PKE): in every CCA2 experiment for tag-KEM (resp. DEM and PKE), adversaries does not query to its decryption oracle with the same challenge encapsulation and the tag (resp. the challenge ciphertext) in the CCA2 experiment. 2.1 Key Encapsulation Mechanism with Tag A key encapsulation mechanism with tag (tag-KEM) system TKEM = (TKEM.Gen, TKEM.Key, TKEM.Enc, TKEM.Dec) consists of four algorithms. Formally, (pk, sk) ←

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

349

TKEM.Gen(1k ) is a probabilistic algorithm that generates a public key pk and a private

key sk. The public key pk is used to encapsulate a session key, and the secret key sk is used to decapsulate an encapsulation. (w, K) ← TKEM.Key(pk) is a probabilistic algorithm that generates a session key K ∈ K and internal state information w. The session key K is used for encryption of DEMs. C ← TKEM.Enc(w, τ) is a probabilistic algorithm that encrypts K into C by using τ, where τ is called a tag. We describe a tag space as T . K ← TKEM.Dem(sk, C, τ) is a deterministic algorithm that recovers K from C and τ. For every sk, K, C, and τ associated with the above three functions, we claim TKEM.Dec(sk, C, τ) = K. Here, we only consider tag-KEM systems that produce uniformly distributed keys. In the other words, we require that for every public key pk, the second element of an output of TKEM.Enc(pk) has the uniform distribution on key space K. We keep generality on our discussion since most KEM systems and tag-KEM systems have this property. Furthermore, key space K is restricted to l(k) bits space {0, 1}l(k) , where k is the security parameter and l is some polynomial. We only consider this setting, since tag space T is equal to DEM’s ciphertext space in the case of the tag-KEM/DEM framework. 2.2 Data Encapsulation Mechanism A data encapsulation mechanism (DEM) system DEM = (DEM.Enc, DEM.Dec) consists of two algorithms and key space K. Formally, τ ← DEM.Enc(K, m) is a probabilistic algorithm that encrypts m into τ by using K, where a key K is chosen uniform randomly in K. m ← DEM.Dem(K, τ) is a deterministic algorithm that recovers m from K and τ. For every K, m, and τ associated with the above DEM.Enc, we claim DEM.Dec(K, τ) = m. We require key space K is restricted to l(k) bits space {0, 1}l(k) , where k is the security parameter and l is some polynomial. 2.3 Public Key Encryption A public-key encryption (PKE) PKE = (PKE.Gen, PKE.Enc, PKE.Dec) consists of three algorithms. Formally, (pk, sk) ← PKE.Gen(1k ) is a probabilistic algorithm that generates a public key pk and a secret key sk. The public key pk is published and used to encrypt messages. The secret key sk is unpublished and used to decrypt the ciphertext into the message. γ ← PKE.Enc(pk, m) is a probabilistic algorithm that encrypts m into γ by using pk. γ is called a ciphertext. m ← PKE.Dec(sk, γ) is a deterministic algorithm that recovers m from γ by using sk. For every pk, m, and γ associated with the above two algorithm, we claim PKE.Dec(sk, γ) = m. 2.4 PKE Constructed from the Tag-KEM/DEM Framework Abe et al. proposed the tag-KEM/DEM framework to capture the formulation for the Kurosawa-Desmedt KEM/DEM [1,7,6]. In this paper, we only consider public-key encryption systems constructed from the tag-KEM/DEM framework. Let TKEM = (TKEM.Gen, TKEM.Key, TKEM.Enc, TKEM.Dec) be a tag-KEM system and DEM = (DEM.Enc, DEM.Dec) a DEM system. We assume that the tag-KEM’s key space is equal to the DEM’s key space. Then we can construct PKE system PKETKEM.DEM = (PKE.Gen, PKE.Enc, PKE.Dec) as follows.

350

T. Matsuda et al.

PKE.Gen(1k ): PKE.Enc(pk, m): (pk, sk) ← TKEM.Gen(1k ) (w, K) ← TKEM.Key(pk) return (pk, sk) τ ← DEM.Enc(K, m) C ← TKEM.Enc(w, τ)

γ ← (C, τ) return γ

PKE.Dec(sk, γ):

parse (C, τ) ← γ K ← TKEM.Dec(sk, C, τ) m ← DEM.Dec(K, τ) return m

3 The Security Notions of Tag-KEM In this section, we define the security notions on tag-KEM, i.e. wNM-ATK, CNMATK, SNM-ATK, and PNM-ATK. In order to simplify the description, we use unified definitions on ATK ∈ {CPA, CCA1, CCA1.5, CCA2} in each experiment as follows. If ATK = CPA, then O1 = O2 = O3 = ⊥. If ATK = CCA1, then O1 = TKEM.Dec(sk, ·, ·) and O2 = O3 = ⊥. If ATK = CCA1.5, then O1 = O2 = TKEM.Dec(sk, ·, ·) and O3 = ⊥. If ATK = CCA2, then O1 = O2 = O3 = TKEM.Dec(sk, ·, ·). We denote by n a polynomial in the security parameter k in the following definitions. 3.1 wNM-ATK Tag-KEM We define weak non-malleability for tag-KEM by following in [5]. Roughly speaking, the wNM experiment means that the adversary A cannot modify the challenge encapsulation C ∗ and the tag τ∗ into other encapsulations and tags related to (C ∗ , τ∗ ) without ∗ receiving challenge keys (Kc∗ , K1−c ). The most importance in this definition is that the ∗ adversary does not receive the challenge keys (Kc∗ , K1−c ). As explained in Section 1.3, one of the differences between KEM and tag-KEM depends on the fact that the adversary which does not know the real key K0∗ must make a tag τ∗ . Definition 1 (wNM-ATK tag-KEM). Let TKEM be a tag-KEM system. We define the def wNM-ATK wNM-ATK advantage AdvwNM-ATK TKEM, A (k) = | Pr[ExptTKEM, A (k, 0) = 1] − Pr[ExptTKEM, A (k, 1) = 1]| for a legitimate and non-copying adversary A as follows. If for every legitimate and non-copying adversary A = (A1 , A2 , A3 ), AdvwNM-ATK TKEM, A (k) is negligible in the security parameter k, then we say that TKEM satisfies the wNM-ATK security, where ATK ∈ {CPA, CCA1, CCA1.5, CCA2}. ExptwNM-ATK TKEM, A (k, b):

(pk, sk) ← TKEM.Gen(1k ); st1 ← A1O1 (·) (pk) (w, K0∗ ) ← TKEM.Key(pk); K1∗ ← K (st2 , τ∗ ) ← AO2 2 (·) (st1 ); C ∗ ← TKEM.Enc(w, τ∗ ) (Rel, Ci , τi ni=1 ) ← A3O3 (·) (st2 , C ∗ ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) if Rel(Kb∗ , Ki ni=1 ) = 1, then return 1 else return 0

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

351

We can define the wNM-ATK experiment which consists of only two stages by merging the first and the second stages. However, we choose the definition which consists of three stages in order to integrate the definitions of the IND-ATK and the sNM-ATK experiments. 3.2 sNM-ATK Tag-KEM We define strong non-malleability (sNM) for tag-KEM as comparison non-malleability, simulation non-malleability, and indistinguishability under parallel chosen ciphertext attack based on non-malleability. We show three security notions are equivalent in Theorem 6. We only give a proof sketch in this paper, and a detailed proof can be found full version of this paper. In contrast, the wNM-ATK security is strictly weaker property than the sNM-ATK security. CNM-ATK Tag-KEM. We define comparison non-malleability (CNM) for tag-KEM by following [8]. Roughly speaking, the CNM experiment expresses whether the adversary A can modify the challenge encapsulation C ∗ and the tag τ∗ into other encapsulations and tags related to (C ∗ , τ∗ ). Definition 2 (CNM-ATK tag-KEM). Let TKEM be a tag-KEM system. We define def CNM-ATK  CNM-ATK the advantage AdvCNM-ATK TKEM, A (k) = | Pr[ExptTKEM, A (k) = 1] − Pr[ExptTKEM, A (k) = 1]| for a legitimate and non-copying adversary A as follows. If for every legitimate and non-copying adversary adversary A = (A1 , A2 , A3 ), AdvCNM-ATK TKEM,A (k) is negligible in the security parameter k, then we say that TKEM satisfies the CNM-ATK security, where ATK ∈ {CPA, CCA1, CCA1.5, CCA2}. ExptCNM-ATK TKEM, A (k): (pk, sk) ← TKEM.Gen(1k )

st1 ← A1O1 (·) (pk) (w, K0∗ ) ← TKEM.Key(pk); K1∗ ← K ∗ c ← {0, 1}; X ← (Kc∗ , K1−c ) O2 (·) ∗ (st2 , τ ) ← A2 (st1 , X) C ∗ ← TKEM.Enc(w, τ∗ ) (Rel, Ci , τi ni=1 ) ← A3O3 (·) (st2 , C ∗ ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) if Rel(K0∗ , Ki ni=1 ) = 1, then return 1 else return 0

 TKEM, A (k): Expt (pk, sk) ← TKEM.Gen(1k ) CNM-ATK

st1 ← AO1 1 (·) (pk) (w, K) ← TKEM.Key(pk); K0∗ , K1∗ ← K ∗ c ← {0, 1}; X ← (Kc∗ , K1−c ) O (·) (st2 , τ∗ ) ← A2 2 (st1 , X) C ∗ ← TKEM.Enc(w, τ∗ ) (Rel, Ci , τi ni=1 ) ← AO3 3 (·) (st2 , C ∗ ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) if Rel(K1∗ , Ki ni=1 ) = 1, then return 1 else return 0

From the definitions of the wNM-ATK experiment and the CNM-ATK experiment, the CNM-ATK security implies the wNM-ATK security. Because, for any wNM-ATK adversary A, we can construct the adversary A against the CNM-ATK security with the same advantage as the advantage of the adversary A. The adversary A does the same ∗ thing of the adversary A except that the adversary A ignores X = (Kc∗ , K1−c ). We have CNM-ATK wNM-ATK that the experiment ExptTKEM, A (k) is equal to the experiment ExptTKEM, A (k, 0), and

352

T. Matsuda et al. CNM-ATK

 TKEM, A (k) is equal to the experiment ExptwNM-ATK (k, 1). As a conclusion, we have Expt TKEM, A wNM-ATK AdvCNM-ATK TKEM, A (k) = AdvTKEM, A (k).

SNM-ATK Tag-KEM. We define simulation non-malleability (SNM) for tag-KEM by following in [8]. Roughly speaking, there exists a simulator S which output encapsulations without keys, where these encapsulations are the same as those the adversary with keys outputs. Definition 3 (SNM-ATK tag-KEM). Let TKEM be a tag-KEM system. We dedef fine the advantage AdvSNM-ATK = | Pr[ExptSNM-ATK = 1] − TKEM, A, S (k, Rel) TKEM, A (k, Rel) SNM-ATK Pr[ExptTKEM, S (k, Rel) = 1]| for a legitimate and non-copying adversary A, a relation Rel, and a simulator S as follows. If, for every legitimate and non-copying adversary A = (A1 , A2 , A3 ) and relation Rel, there exists some simulator S such that AdvSNM-ATK TKEM, A, S (k, Rel) is negligible in the security parameter k, then we say that TKEM satisfies the SNM-ATK security, where ATK ∈ {CPA, CCA1, CCA1.5, CCA2}. ExptSNM-ATK TKEM, A (k, Rel): (pk, sk) ← TKEM.Gen(1k )

st1 ← A1O1 (·) (pk) (w, K0∗ ) ← TKEM.Key(pk) ∗ K1∗ ← K; c ← {0, 1}; X ← (Kc∗ , K1−c ) O2 (·) ∗ (st2 , τ ) ← A2 (st1 , X) C ∗ ← TKEM.Enc(w, τ∗ ) (Ci , τi ni=1 , σ) ← AO3 3 (·) (st2 , C ∗ ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) if Rel(K0∗ , Ki ni=1 , σ) = 1, then return 1 else return 0

ExptSNM-ATK TKEM, S (k, Rel): (pk, sk) ← TKEM.Gen(1k )

st1 ← S 1O1 (·) (pk)

∗ K0∗ , K1∗ ← K; c ← {0, 1}; X ← (Kc∗ , K1−c ) O2 (·) st2 ← S 2 (st1 , X)

(Ci , τi ni=1 , σ) ← S 3O3 (·) (st2 ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) if Rel(K0∗ , Ki ni=1 , σ) = 1, then return 1 else return 0

PNM-ATK Tag-KEM. We define indistinguishability under parallel chosen ciphertext attack based on non-malleability (PNM) for tag-KEM by following [8]. This definition is proposed in order to prove the equivalence between the IND-CCA2 and the NMCCA2 security for PKE and KEM[2,3,8]. We also use the PNM-ATK security in order to prove the equivalence between the IND-CCA2 and the sNM-CCA2 security for tagKEM. Definition 4 (PNM-ATK tag-KEM). Let TKEM be a tag-KEM system. We define def PNM-ATK 1 the advantage AdvPNM-ATK TKEM, A (k) = | Pr[ExptTKEM, A (k) = 1] − 2 | for a legitimate and non-copying adversary A as follows. If for every legitimate and non-copying adversary A = (A1 , A2 , A3 , A4 ), AdvPNM-ATK TKEM, A (k) is negligible in the security parameter k, then we say that TKEM satisfies the PNM-ATK security, where ATK ∈ {CPA, CCA1, CCA1.5, CCA2}.

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

353

ExptPNM-ATK TKEM, A (k):

(pk, sk) ← TKEM.Gen(1k ); st1 ← A1O1 (·) (pk) (w, K0∗ ) ← TKEM.Key(pk); K1∗ ← K; b ← {0, 1} (st2 , τ∗ ) ← A2O2 (·) (st1 , Kb∗ ); C ∗ ← TKEM.Enc(w, τ∗ ) (st3 , Ci , τi ni=1 ) ← A3O3 (·) (st2 , C ∗ ) for every i, Ki ← TKEM.Dec(sk, Ci , τi ) b ← A4 (st3 , Ki ni=1 ) if b = b, return 1 else return 0 We remark that the PNM-ATK security implies the IND-ATK security by the definitions of the experiments, since the IND-ATK experiment is equal to the PNM-ATK experiment except for the one-time parallel decryption operation between the third stage and the forth stage. Moreover, the inverse implication holds in the case of CCA2 since the adversary with access to the decryption oracle does not need the one-time parallel decryption operation.

4 Theorems In this section, we present main theorems in this paper. We omit the other theorems and their detailed proofs. They can be found in the full version of this paper. In Section 5, we only present the proof sketches of the main theorems. Theorem 5 (Equivalence among three definitions for sNM-ATK). Let TKEM be a tag-KEM system and ATK ∈{CPA, CCA1, CCA1.5, CCA2}. TKEM satisfies the CNMATK security, if and only if TKEM satisfies the SNM-ATK security. Similarly, TKEM satisfies the CNM-ATK security, if and only if TKEM satisfies the PNM-ATK security. It has been already proved that the CNM-ATK, the SNM-ATK, and the PNM-ATK security are equivalent for any non-copying adversary in the case of PKE and KEM [2,3,8], but not yet proved in the case of tag-KEM. We prove the equivalence among these definitions. Theorem 6 (sNM-{CPA, CCA1} tag-KEM + IND-OT DEM ⇒ NM-{CPA,CCA1} PKE). If TKEM is an sNM-{CPA, CCA1} secure tag-KEM system and DEM is an INDOT secure DEM system, then PKETKEM,DEM is NM-{CPA,CCA1} secure . This theorem means that PKETKEM,DEM is NM-ATK secure, whenever TKEM is sNMATK secure and DEM is IND-OT secure. In contrast, it is proved by Herranz that this implication for the KEM/DEM framework does not hold [5]. Theorem 7 (wNM-CCA2 tag-KEM + IND-CCA2 DEM  IND-CPA PKE). There exists TKEM which is a wNM-CCA2 secure tag-KEM system and DEM which is an IND-CCA2 secure DEM system, such that PKETKEM,DEM is not IND-CPA secure. In the case of KEM, if a KEM system satisfies the wNM-{CPA, CCA1} security and a DEM system satisfies the IND-OT security, a PKE system from them satisfies the

354

T. Matsuda et al.

IND-{CPA, CCA1} security [5]. The reason is that the wNM-{CPA, CCA1} security implies the IND-{CPA, CCA1} security. However, in the case of tag-KEM, even if a tag-KEM system satisfies the wNM-CCA2 security and a DEM system satisfies the IND-CCA2 security, a PKE system from them satisfies the IND-CPA security. The wNM security for tag-KEM is insufficient to construct hybrid encryption systems with the weakest security, i.e. the IND-CPA security.

5 Proof Sketches of Theorem 5, Theorem 6, and Theorem 7 In this section, we present the proof sketches of Theorem 5, Theorem 6, and Theorem 7. The detailed proofs can be found in the full version of this paper. 5.1 Proof Sketch of Theorem 5 The proof of this theorem is clearly proved by Lemma 8, Lemma 9 and Lemma 10. In order to prove, we modify the proofs of these lemmas in [8]. Lemma 8 (CNM-ATK ⇒ SNM-ATK). Let TKEM be a tag-KEM system. If TKEM satisfies the CNM-ATK security, then TKEM satisfies the SNM-ATK security. Lemma 9 (SNM-ATK ⇒ PNM-ATK). Let TKEM be a tag-KEM system. If TKEM satisfies the SNM-ATK security, then TKEM satisfies the PNM-ATK security. Lemma 10 (PNM-ATK ⇒ CNM-ATK). Let TKEM be a tag-KEM system. If TKEM satisfies the PNM-ATK security, then TKEM satisfies the CNM-ATK security. First, we present the proof sketch of Lemma 8. We prove that TKEM is not secure in the sense of CNM-ATK if TKEM is not secure in the sense of SNM-ATK. Let A = (A1 , A2 , A3 ) be the adversary against the SNM-ATK security. Using the adversary A, we construct the adversary B = (B1, B2 , B3 ) against the CNM-ATK security and the simulator S˜ = (S˜ 1 , S˜ 2 , S˜ 3 ) in the SNM-ATK experiment as follows. B1 (pk)O1 (·) : BO2 2 (·) (st1 , X): O1 (·) st1 ← A1 (pk) (st2 , τ∗ ) ← AO2 (·) (st1 , X) 2 return st1 return (st2 , τ∗ )

B3O3(·) (st2 , C ∗ ): (Ci , τi ni=1 , σ) ← AO3 3 (·) (st2 , C ∗ ) define Rel , as bind σ to the last input of Rel return (Rel , Ci , τi ni=1 )

S˜ 1 (pk)O1 (·) : S˜ 2O2 (·) (st1 ||pk, X): O1 (·) st1 ← A1 (pk) (st2 , τ∗ ) ← AO2 (·) (st1 , X) 2 return st1 ||pk return (st2 ||pk||τ∗ , τ∗ )

S˜ 3O3 (·) (st2 ||pk||τ∗ ): (K, w) ← TKEM.Key(pk) C ← TKEM.Enc(w, τ∗ ) (Ci , τi ni=1 , σ) ← A3O3 (·) (st2 , C) if (Ci , τi )  (C, τ∗ ) for every i, then return (Ci , τi ni=1 , σ) else abort

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

355

The adversary B in the experiment ExptCNM-ATK TKEM, B perfectly simulates the SNM-ATK experiment for A, when B received X which is a pair of real and random keys. The simulator S˜ in the experiment ExptSNM-ATK can perfectly simulate the act of B in the TKEM, S˜  TKEM, B . Hence, we have experiment Expt CNM-ATK

CNM-ATK

CNM-ATK  AdvCNM-ATK TKEM, B (k) = | Pr[ExptTKEM, B (k) = 1] − Pr[ExptTKEM, B (k) = 1]| SNM-ATK = | Pr[ExptSNM-ATK TKEM, A (k) = 1] − Pr[ExptTKEM, S˜ (k) = 1]|

= AdvSNM-ATK (k, Rel). TKEM, A, S˜ Second, we present the proof sketch of Lemma 9. We prove that TKEM is not secure in the sense of SNM-ATK if TKEM is not secure in the sense of PNM-ATK. Let A be the adversary against the PNM-ATK security. Using the adversary A = (A1 , A2 , A3 , A4 ), we construct the adversary B = (B1 , B2, B3 ) against the SNM-ATK security and a relation Rel as follows. B1 (pk)O1 (·) : st1 ← A1O1 (·) (pk) return st1

BO2 2(·) (st1 , X): parse X = (K, K ) (st2 , τ∗ ) ← A2O2 (·) (st1 , K) return (st2 ||X, τ∗ )

B3O3 (·) (st2 ||X, C ∗ ): (st3 , Ci , τi ni=1 ) ← A3O3 (·) (st2 , C ∗ ) r ← {0, 1}k σ ← (st3 , r, X) return (Ci , τi ni=1 , σ )

Rel(Y, Ki ni=1 , σ ): parse σ = (st3 , r, X), X = (K, K ) if Y = K, then g = 0 else if Y = K , then g = 1 otherwise, return 0 g ← A4 (st3 , Ki ni=1 ; r) if g = g , then return 1 else return 0 We note that r chosen by B3 is used to A4 ’s random input. We define the events Real that Y = K in Rel and Random that Y = K in Rel. From the construction of B and Rel, we have PNM-ATK Pr[ExptSNM-ATK TKEM, B (k, Rel) = 1|Real] = Pr[ExptTKEM, A (k) = 1|b = 0] PN M−AT K Pr[ExptSNM-ATK TKEM, B (k, Rel) = 1|Random] = Pr[ExptTKEM, A (k) = 1|b = 1].

Hence, we have Pr[ExptSNM-ATK TKEM, B (k, Rel) = 1] 1 SNM-ATK = (Pr[ExptSNM-ATK TKEM, B (k, Rel) = 1|Real] + Pr[ExptTKEM, B (k, Rel) = 1|Random]) 2 1 PNM-ATK = (Pr[ExptPNM-ATK TKEM, A (k) = 1|b = 0] + Pr[ExptTKEM, A (k) = 1|b = 1]) 2 = Pr[ExptPNM-ATK TKEM, A (k) = 1].

356

T. Matsuda et al.

Next, let S be a simulator in the SNM-ATK security. We define the event Bad that Y  K ∧ Y  K in the SNM-ATK experiment for simulators. Then, for every simulator S , we have

Pr[ExptSNM-ATK TKEM, S (k, Rel) = 1] = Pr[g = g ∧ ¬Bad] ≤

1 . 2

Hence, we conclude SNM-ATK SNM-ATK AdvSNM-ATK TKEM, B, S (k, Rel) = | Pr[ExptTKEM, B (k, Rel) = 1] − Pr[ExptTKEM, S (k, Rel) = 1]|

1 PNM-ATK ≥ | Pr[ExptPNM-ATK TKEM, A (k) = 1] − | = AdvTKEM, A (k). 2 Finally, we present the proof sketch of Lemma 10. We prove that TKEM is not secure in the sense of PNM-ATK if TKEM is not secure in the sense of CNM-ATK. Let A = (A1 , A2 , A3 ) be the adversary against the CNM-ATK security. Using the adversary A, we construct the adversary B = (B1 , B2, B3 , B4 ) against the PNM-ATK security as follows. B1 (pk)O1 (·) : st1 ← AO1 1 (·) (pk) return st1

B2O2(·) (st1 , X0 ): X1 ← K; c ← {0, 1} X ← (Xc , X1−c ) (st2 , τ∗ ) ← AO2 2 (·) (st1 , X) return (st2 ||X0 , τ∗ )

B3O3(·) (st2 ||X0 , C ∗ ): (Rel, Ci , τi ni=1 ) ← AO3 3 (·) (st2 , C ∗ ) st3 ← (Rel, X0 ) return (st3 , Ci , τi ni=1 )

B4 (st3 , Ki ni=1 ): if Rel(X0 , Ki ni=1 ) = 1, then b ← 0 else b ← 1 return b

From the construction of B, we have n Pr[ExptPNM-ATK TKEM, B (k) = 1|b = 0] = Pr[Rel(X0 , Ki i=1 ) = 1|X0 is a real key]

= Pr[ExptCNM-ATK TKEM, A (k) = 1], n Pr[ExptPNM-ATK TKEM, B (k) = 0|b = 1] = Pr[Rel(X0 , Ki i=1 ) = 1|X0 is a random key]

 CNM-ATK = Pr[Expt TKEM, A (k) = 1]. Therefore, we conclude PNM-ATK AdvPNM-ATK TKEM, B (k) = | Pr[ExptTKEM, B (k) = 1] −

1 | 2

1 PNM-ATK | Pr[ExptPNM-ATK TKEM, B (k) = 1|b = 0] + Pr[ExptTKEM, B (k) = 1|b = 1] − 1| 2 1 PNM-ATK = | Pr[ExptPNM-ATK TKEM, B (k) = 1|b = 0] − Pr[ExptTKEM, B (k) = 0|b = 1]| 2  CNM-ATK = | Pr[ExptCNM-ATK (k) = 1] − Pr[Expt TKEM, A (k) = 1]| =

TKEM, A

= AdvCNM-ATK TKEM, A (k).

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

357

5.2 Proof Sketch of Theorem 6 First, we only consider the case of CCA1. Let TKEM be a tag-KEM system satisfies the PNM-CCA1 security and DEM be a DEM system satisfies the IND-OT security. Then, PKETKEM,DEM is a hybrid encryption system from them with the tag-KEM/DEM framework. We show PKETKEM,DEM satisfies the NM-CCA1 security by modifying the NM-CCA1 experiment into the games, Game0 (b), Game1 (b), Game2 (b). The game Game0 (b) is equal to the experiment ExptNM-CCA1 (k, b). PKETKEM,DEM , A Game0 (b):

(pk, sk) ← TKEM.Gen(1k ) (st, M) ← A1O1 (·) (pk) m∗0 , m∗1 ← M (w, K ∗ ) ← TKEM.Key(pk) τ∗ ← DEM.Enc(K ∗ , m∗0 ) C ∗ ← TKEM.Enc(w, τ∗ ) γ∗ ← (C ∗ , τ∗ ) (Rel, γi ni=1 ) ← A2 (st, γ∗ ) for every i, mi ← PKE.Dec(sk, γi ) if Rel(m∗b , mi ni=1 ) = 1, return 1 else return 0

Game1 (b):

(pk, sk) ← TKEM.Gen(1k ) (st, M) ← AO1 1 (·) (pk) m∗0 , m∗1 ← M (w, K ∗ ) ← TKEM.Key(pk) K ← K τ∗ ← DEM.Enc(K , m∗0 ) C ∗ ← TKEM.Enc(w, τ∗ ) γ∗ ← (C ∗ , τ∗ ) (Rel, γi ni=1 ) ← A2 (st, γ∗ ) for every i, mi ← PKE.Dec(sk, γi ) if Rel(m∗b , mi ni=1 ) = 1, return 1 else return 0

Game2 (b):

(pk, sk) ← TKEM.Gen(1k ) (st, M) ← A1O1 (·) (pk) m∗0 , m∗1 ← M (w, K ∗ ) ← TKEM.Key(pk) K ← K τ∗b ← DEM.Enc(K , m∗b ) Cb∗ ← TKEM.Enc(w, τ∗b ) γb∗ ← (Cb∗ , τ∗b ) (Rel, γi ni=1 ) ← A2 (st, γb∗ ) for every i, mi ← PKE.Dec(sk, γi ) if Rel(m∗0 , mi ni=1 ) = 1, return 1 else return 0

We denote modified parts by underlines. On this modification, we state the following claims. Claim 11. For every b ∈ {0, 1} and every adversary B = (B1, B2 , B3 , B4), | Pr[Game0 (b) = 1] − Pr[Game1 (b) = 1]| ≤ AdvPNM-CCA1 TKEM, B (k). Claim 12. For every adversary C = (C1 , C2 ), | Pr[Game2 (0) = 1] − Pr[Game2 (1) = 1]| ≤ AdvIND-OT DEM, C (k). We can prove Claim 11 and Claim 12 with reduction to the PNM-CCA1 security for TKEM and the IND-OT security for DEM, respectively. Since changes between Game1 and Game2 are purely conceptual, we have Pr[Game2 (b) = 1] = Pr[Game1 (b) = 1]

for every b. From Claim 11 and Claim 12, we have AdvNM-CCA1 PKETKEM,DEM , A

= | Pr[ExptNM-CCA1 (k, 0) = 1] − Pr[ExptNM-CCA1 (k, 1) = 1]| PKETKEM,DEM , A PKETKEM,DEM , A = | Pr[Game0 (0) = 1] − Pr[Game0 (1) = 1]| IND-OT ≤ 2AdvPNM-CCA1 TKEM, B (k) + AdvDEM, C (k).

358

T. Matsuda et al.

Therefore, we can prove Theorem 6 in the case of CCA1. Similarly, we can prove it in the case of CPA, since the only difference between CCA1 and CPA is whether A1 has access to OA (·) or not. Incidentally, we can consider this proof to be another proof of the well-known theorem in [1] that PKETKEM,DEM is IND-CCA2 secure, where TKEM is an IND-CCA2 secure tag-KEM system and DEM is an IND-OT secure DEM system. 5.3 Proof Sketch of Theorem 7 Assume there exists a wNM-CCA2 secure tag-KEM TKEM = (TKEM.Gen, TKEM.Key, TKEM.Enc, TKEM.Dec) and an IND-CCA2 secure DEM DEM = (DEM.Enc, DEM.Dec). We modify DEM and TKEM into a new DEM and TKEM , respectively. DEM .Enc(K, m):

parse K = K1 ||K2 τ 1 ← DEM.Enc(K1 , m) τ 2 ← K2 return τ = τ 1 ||τ 2

DEM .Dec(K, τ ):

parse K = K1 ||K2 and τ = τ 1 ||τ 2 if K2 = τ 2 , then m ← DEM.Dec(K1 , τ 1 ) else m ← ⊥. return m

Claim 13. DEM is secure in the sense of IND-CCA2. The adversary A against the IND-CCA2 security of DEM can simulate the view of the adversary B against the IND-CCA2 security of DEM . The adversary A only picks K2 and checks that least significant bits of a ciphertext τ is equal to K2 . Next, we also modify TKEM to use DEM with key space {0, 1}2k into a new TKEM = (TKEM .Gen, TKEM .Key, TKEM .Enc, TKEM .Dec) with the same key space, which still satisfies the wNM-CCA2 security. We set TKEM .Gen = TKEM.Gen and the others as follows. TKEM .Key(pk): (w, K) ← TKEM.Key(pk)

divide K = K1 ||K2 w ← w||K1 ||K2 return (w , K1 ||K2 )

TKEM .Enc(w , τ ):

parse w = w||K1 ||K2 and τ = τ 1 ||τ 2 if K2 = τ 2 , then C1 ← DEM.Dec(K1 , τ 1 ) and C2 ← K1 ||K2 else C1 ← TKEM.Enc(w, τ 1 ) and C2 ← ⊥ return C1 ||C2

TKEM .Dec(sk, C1 ||C2 , τ ): parse τ = τ 1 ||τ 2 if C2 = ⊥, then return TKEM.Dec(sk, C1 , τ 1 ) else parse C2 = K1 ||K2 if K2 = τ 2 and C1 = DEM.Dec(K1 , τ 1 ), then return K1 ||K2 else return ⊥

Security on Hybrid Encryption with the Tag-KEM/DEM Framework

359

Claim 14. TKEM is secure in the sense of wNM-CCA2. The adversary A against the wNM-CCA2 security of TKEM can simulate the view of the adversary B against the wNM-CCA2 security of TKEM . If K2  τ 2 , then A can perfectly simulate the view of the adversary B against the wNM-CCA2 security of TKEM . The probability that K2 = τ 2 is negligible since K2 is perfectly secret and uniformly random. Therefore, we can ignore this event.



Claim 15. PKETKEM ,DEM is not secure in the sense of IND-CPA. We consider the adversary A



=

(A1 , A2 ) against the IND-CPA security of

PKETKEM ,DEM . In the first stage, A1 outputs (0k , 1k ) as challenge messages. By the definitions of TKEM and DEM , if 0k is encrypted in the IND-CPA experiment, then A2 receives (0k ||K1∗ ||K2∗ , DEM.Enc(K1∗ , 0k )) as the challenge ciphertext. Similarly, if 1k is encrypted in the IND-CPA experiment, then A2 receives (1k ||K1∗ ||K2∗ , DEM.Enc(K1∗ , 1k )).



Since these ciphertexts are distinguishable, PKETKEM ,DEM is not secure in the sense of

IND-CPA.

References 1. Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: A New Framework for Hybrid Encryption and A New Analysis of Kurosawa-Desmedt KEM. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Heidelberg (2005) 2. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998) 3. Bellare, M., Sahai, A.: Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999) 4. Cramer, R., Shoup, V.: Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing 33 (2003) 5. Herranz, J., Hofheinz, D., Kiltz, E.: KEM/DEM: Necessary and Sufficient Conditions for Secure Hybrid Encryption (2006), http://eprint.iacr.org/2006/265 6. Herranz, J., Hofheinz, D., Kiltz, E.: The Kurosawa-Desmedt Key Encapsulation is not Chosen-Ciphertext Secure (2006), http://eprint.iacr.org/2006/207 7. Kurosawa, K., Desmedt, Y.: A New Paradigm of Hybrid Encryption Scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004) 8. Nagao, W., Manabe, Y., Okamoto, T.: On the Equivalence of Several Security Notions of Key Encapsulation Mechanism (2006), http://eprint.iacr.org/2006/268 9. Pass, R., Shelat, A., Vaikuntanathan, V.: Relations Among Notions of Non-malleability for Encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 519–535. Springer, Heidelberg (2007) 10. Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1) (manuscript, 2001), http://www.shoup.net/papers/

A Highly Scalable RFID Authentication Protocol Jiang Wu and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada {j32wu,dstinson}@uwaterloo.ca

Abstract. In previous RFID protocols, a hash-chain is used to achieve good privacy. Each tag is associated with a chain of Q hash values. To identify one tag out of a total of N tags, a server searches a table of size N Q. A naive search takes either Θ(N Q) time or Θ(N Q) memory, and therefore it does not scale well. A time-space tradeoff technique can mitigate the scalability problem. However, with the time-memory tradeoff, either time or space is still at least Θ((N Q)2/3 ). In this paper, we propose a novel RFID protocol to solve the scalability problem. The server “solves”, instead of “searches”, for a tag ID. The protocol is based on polynomial operations, and its security and privacy is based on the difficulty of reconstructing a polynomial with noisy data. The protocol supports very large values of the product N Q. In our demo implementation where N = 232 and Q = 13700, the server takes 0.1 seconds and 10K bytes memory to identify a tag. As a comparison, a hash-chain based protocol enhanced with a time-memory tradeoff will require about 67 seconds and a 1G bytes memory.

1

Introduction

Radio Frequency Identification (RFID) is an automated object identification technology. RFID systems consist of two main components: tags and readers. Tags are small radio transponders. They contain the identification information of objects to which they are attached. Readers query these tags for the identifying information about the objects. Readers often have secure access to a back-end database. For simplicity, a reader and a back-end database can be treated as a single entity. While being promising in a wide range of applications such as supply chain, anti-counterfeiting, and libraries, RFID also raises privacy and security concerns. Since RFID tags respond to radio interrogation automatically, malicious scanning of tags is a plausible threat. Even if the information emitted by a tag is encrypted, the information may be used to track the tag, thus causing privacy issues. An equally significant problem is authentication. One purpose of RFID 

Research supported by NSERC discovery grant 203114-06.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 360–376, 2009. c Springer-Verlag Berlin Heidelberg 2009 

A Highly Scalable RFID Authentication Protocol

361

tags is to prove the authenticity of objects. If an RFID tag can be scanned and replicated, then a counterfeit tag can be made to impersonate the authentic one. RFID protocols must provide privacy and security under those possible attacks. A common attack model is as follows. There is an adversary who is able to eavesdrop the communications between the tags and readers, interrogate the tags, and compromise some tags. The goal of the adversary is to impersonate or track uncompromised tags. Correspondingly, an RFID protocol needs to meet two requirements: be secure against impersonation and be untraceable. In addition to the security and privacy requirements, an RFID protocol needs to be scalable on the reader side and efficient on the tag side. An RFID system may have a large number, say, millions to billions, of tags. The RFID protocol must be scalable to allow the reader to deal with such a large number of tags. On the other hand, a tag has very limited resources in computation and memory, so the protocol must be efficient on the tag side. For cryptographic tools, symmetric key techniques are usually considered feasible for some RFID tags while public key techniques are considered unsuitable for any of them. To design an RFID protocol satisfying all the desired privacy, security, scalability, and efficiency properties is challenging. Privacy makes RFID authentication different from conventional cryptographic authentication. Using symmetric key techniques, secure authentication relies on a symmetric key shared between a tag and reader. For privacy, a tag cannot identify itself to a reader before an authentication interaction, thus the reader does not know which key to use in the interaction. A straightforward solution is to try every key. This is prohibitively costly when the number of tags becomes large. This is known as the key search problem. Literature in this area has sought to reduce the cost of key search. Every such protocol proposed so far involves some kind of tradeoff among the desired properties [13]. Our Contributions. In this paper, we propose a novel RFID protocol to solve the key search problem. The server “solves”, instead of “searches”, for a tag ID in an identification process. The operation is based on polynomial computations and its security and privacy is based on the difficulty of reconstructing polynomials with noisy data. The protocol supports a very large number of tags as well as a very large number of queries on one tag, which is impractical for previous protocols. At the same time, the protocol is secure and privacy-preserving. Organization. The remainder of the paper is organized as follows. In Section 2, we review RFID protocols addressing the scalability issue. In Section 3, we present our scheme. Section 4 gives the security analysis. Section 5 gives the performance analysis, and Section 6 concludes the paper.

2

Related Work

In this section, we review previous approaches and solutions to the key search problem in the literature. In [13], Juels gave a comprehensive survey of RFID

362

J. Wu and D.R. Stinson

security and privacy, including the key search problem. Here we briefly review the existing solutions. Tree approach. In [16], Molnar and Wagner proposed a scheme to reduce the key search cost to Θ(log n) where n is the total number of keys. The scheme uses d sets of keys K1 , . . . , Kd . Each set contains b keys. Each tag is assigned with d keys k1 ∈ K1 , . . . , kd ∈ Kd . The key assignment can be represented as a tree of depth d and each node has d children. The scheme can accommodate up to bd tags in total. In an identification session, the tag runs d rounds of interaction with the reader. In the ith round, the tag uses the key ki , and the reader searches Ki . In a session, the reader needs to search through db keys. Since a key will be used in more than one tag, compromise of one tag results in compromise of keys in other tags; hence this leads to privacy infringements [2]. Synchronization approach. The basic idea in the synchronization approach is for the reader and tags to maintain a synchronized state. For example, every tag Ti maintains a counter ci . On interrogation, the tag outputs E = fki (ci ) where f is a keyed hash function and ki is a secret key shared between the reader and Ti , then increases ci . The reader can compute all possible outputs of all tags and store the results in a searchable table. In each interrogation, the reader searches the response from the tag in the table. There are several variants of the above approach in the literature, e.g., Ohkubo, Suzuki, and Kinoshita [19], Henrici and M¨ uller [11], Juels [12], and Dimitriou [8]. Time-space tradeoff approach. In [3] and [2], Avoine, Dysli, and Oechslin 2 used a time-space trade-off to achieve Θ(n 3 ) in both memory and time complexity for key search. Time-space tradeoff is used as an enhancement to the synchronization approach. The basic idea is to organize all future response values of all tags in chains. Each chain consists of a sequence of response values as follows. The reader chooses a random function f to map a response value x to a pair (i, j), then the response of tag i at the j th query will be the successor of x in the chain. Only the head and the tail of a chain is stored. When receiving a response x, the reader can apply f to get its successors. The reader searches x and its successors in all the tails of the chains to locate the chain which contains x. Then it starts from the head of the chain, applies f repeatedly, and locates (i, j) of x.

3

Scheme Description

In this section, we present our RFID protocol. We assume that there are N tags and one reader (here the reader refers to an entity consisting of the actual reader, the database that stores the tag information, and perhaps an application server which processes the data). We also assume that a tag is capable of generating random bits, computing cryptographic hash functions, and modular multiplication over a field F2l . Such tags would fall into the category of symmetric-key tags in [13].

A Highly Scalable RFID Authentication Protocol

3.1

363

Initial Setup

The initial setup configures the reader and the tags as follows. – Choose an l-bit block cipher and a secret key. Let E be the encryption function and D be the decryption function. – Generate m random bivariate polynomials f1 (x, y), . . . , fm (x, y) over a finite field F2l . The degree of x and y in each fi is at most k. – Assign the m polynomials to the reader. – For tag i, 1 ≤ i ≤ N , compute xi = E(i) as its meta ID, then • store m univariate polynomials f1,i (y) = f1 (xi , y), . . . , fm,i (y) = fm (xi , y) in the tag in a randomly permuted order. • Set a counter c to 0. • Set an interrogation threshold Qmax , which is the maximum number of queries that the tag will answer correctly. • Set a number b, which will be used in the protocol. – Choose a secure hash function h : {0, 1}∗  → {0, 1}l which will be used by readers and tags. Note that the meta ID xi is not stored in the tag or the reader. We will discuss the parameter selection for l, m, b, k, and Qmax in the analysis and performance sections. 3.2

Authentication

The authentication process between a reader and a tag i is as follows. 1. The reader generates r ∈ F2l uniformly at random, then sends r to the tag. 2. If c > Qmax , then the tag responds with b random points in F2l × F2l . Otherwise, the tag does the following: (a) Generate r ∈ F2l uniformly at random, and compute y  = h(r||r ). (b) Choose g from {f1,i , . . . , fm,i } randomly, and compute z  = g(y  ). (c) Generate b − 1 pairs of points (r1 , z1 ) . . . , (rb−1 , zb−1 ) ∈ F2l × F2l uniformly at random. (d) Send the b points (r , z  ), (r1 , z1 ), . . . , (rb−1 , zb−1 ) to the reader in a random order. (e) Set c = c + 1. 3. After receiving the b points, for each point (r , z  ) and each polynomial f ∈ {f1 , . . . , fm }, the reader solves the equation z  = f (x, h(r||r )). The reader needs to solve mb such equations, and each equation generates up to k solutions. If any solution x is a valid meta ID, i.e., 1 ≤ D(x) ≤ N , then the reader identifies the tag ID as D(x). Remark. In Step 2 (b), to pick a polynomial, the tag can use two different approaches. One is random choice and the other is random permutation. In random choice, each time, the tag chooses one polynomial from the m polynomials uniformly at random. In random permutation, the choice of g in m consecutive authentication sessions is a random permutation of the m polynomials assigned to the tag. In the following parts, we assume the random permutation approach.

364

J. Wu and D.R. Stinson

Correctness. If the reader receives b points from a valid tag with ID i, then one of the points (r , z  ) will satisfy z  = f (E(i), h(r||r )) for a polynomial f ∈ {f1 , . . . , fm }. At the reader side, E(i) will be the solution of x to the equation z  = fj (x, h(r||r )). So the valid tag will be correctly identified. The server will also get up to mbk − 1 other solutions in one authentication session. The distribution of the meta IDs can be considered to be uniformly at random in F2l , so the probability that one or more of these solutions happen to be valid meta IDs is estimated to be  mbk−1 N 1− 1− l . (1) 2

4

Security Analysis

In this section, we analyze the security and privacy properties of our protocol. Recall that in the attack model, the adversary can eavesdrop and query any tag, and it can compromise some tags. The goal of the adversary is to impersonate or trace the uncompromised tags. 4.1

Query and Recovery

First, we consider the query-and-recovery attack. In this attack, the adversary repeatedly queries a tag, collects the responses, and then tries to recover the polynomials assigned to the tag. This is an intermediate step toward impersonation and tracing. Our security analysis for the query-and-recover attack is based on the hardness of the noisy polynomial interpolation problem, which is related to the well-known polynomial reconstruction problem. Next we present existing results about these problems in the literature, followed by our analysis. Preliminary. First we review the polynomial reconstruction (PR) problem [15] and the noisy polynomial interpolation (NPI) problem [18]. Definition 1. (Polynomial reconstruction) Input: Integers k and t, and T points {(xi , yi ) : i ∈ [1, T ]} where xi , yi ∈ F2l . Output: All univariate polynomials P of degree at most k such that P (xi ) = yi for at least t values i ∈ [1, T ]. The best known algorithm to solve this problem √ is the Guruswami-Sudan algorithm [10]. It solves the problem when t > T k in time polynomial in T . √ When t ≤ T k, the current state of knowledge suggests that the problem may be difficult even in the light of recent extensions of list or average case decoding for related families of codes [15]. A variant of the PR problem, denoted as the noisy polynomial interpolation (NPI) problem, is as follows:

A Highly Scalable RFID Authentication Protocol

365

Definition 2. (Noisy Polynomial Interpolation) Input: S sets of points generated as follows: Pick a random polynomial P over F2l of degree at most k. Generate S ≥ k + 1 sets, each containing B points. The x coordinate of each point is randomly chosen from F2l subject to the condition that all x values are distinct and different from 0. In each set there is exactly one point (x, y) which satisfies y = P (x). For the other B − 1 points, the y coordinate is chosen randomly. Output: the polynomial P . The NPI problem is presented in [18]. A previous version of this problem was presented in [17] in which the points in the same set all have the same x coordinate. In [5], Bleichenbacher and Nguyen show that having the same x coordinate allows meet-in-the-middle attacks and lattice attacks. However, it is unknown how to employ these attacks against NPI. It appears that, although there is more information given in NPI than in the PR problem, NPI may be as hard as the PR problem. Parameter Selection for NPI. In [18], Noar and Pinkas also proposed a cryptographic assumption based on the NPI problem. They assumed that, if √ S, B and k are polynomial in the security parameter and S < SBk, then the problem is hard. Here we further analyze the security level under concrete parameter settings. First we review the analysis of parameter choices for the PR problem in [14]. In [14], the best approach to solve the PR problem is assumed to be one of the two and then test all   T choices: (1) choose k + 1 points to recover a polynomial polynomials, or (2) delete d points, where t > (T − d)k, and use the GS k+1 algorithm on the remaining T − d points. We call the first approach exhaustive search; its idea is clear. The idea of the second approach is to delete  d points. If all the d points are not on the polynomial P , then it happens that t > (T − d)k so that GS will output the proper P . We call this approach exhaustive deletion. We note that the idea of exhaustive search and exhaustive deletion can be generalized to selecting n points where k + 1 ≤ n ≤ T . We use this generalized idea for the NPI problem and consider the following new probabilistic algorithm A as shown in Algorithm 1 to solve NPI. Algorithm 1. A choose n sets of points choose β points from each set use the nβ points as input to the GS algorithm, and output all polynomials of degree at most k that fit at least k + 1 points.

Note that A may output more than one polynomial. If P is among them, we consider A successful in solving the problem. Let PN P I (S, B, k, n, β) be the probability that P will be outputted. Let t be the number of points in the set of nβ points that satisfy y = P (x). It is clear

366

J. Wu and D.R. Stinson

β that√0 ≤ t ≤ n and t follows a binomial distribution with parameters ( B , n). If t > nβk, then P will be outputted. It holds that  PN P I (S, B, k, n, β) = Pr[t > nβk] (2) n  = Pr[t = i] √ i= nβk+1

=

n  √ i= nβk+1

   i  n−i n β β 1− . i B B

Remark. Note that, when β = 1 and n = k + 1, the algorithm becomes an exhaustive search and  k+1 1 PN P I (S, B, k, k + 1, 1) = . B When β = B, √ the algorithm is deterministic for given n. In this situation, if n ≤ Bk, then  nBk + 1 > n so that PN P I (S, B, k, n, B) = 0. If n > Bk, then   n  n n−i PN P I (S, B, k, n, B) = 0 = 1. i √ i= nBk+1

Regarding the hardness of NPI, we make the following assumption to estimate the concrete security level. Assumption 1. Let NP I AdvS,B,k = max{PN P I (S, B, k, n, β) : 1 ≤ β ≤ B, k + 1 ≤ n ≤ S}.

(3)

NP I Let n0 , β0 be the optimal choices of n, β for A to achieve AdvS,B,k . Let τ be the running time of the A using n0 , β0 . We assume that no algorithm can solve NPI NP I with probability more than AdvS,B,k using time at most τ . NP I AdvS,B,k can be estimated as   

 k+1 1 S NP I AdvS,B,k = max , PN P I S, B, k, S, −1 B k

(4)

(See Appendix A for a detailed analysis). Security Under Query-and-Recovery. Now we relate the difficulty of the query-and-recover attack to the difficulty of solving the NPI problem. Recall that in the protocol, to answer a challenge r, the tag computes z  = g(h(r||r )) where r is a random number generated by the tag. h(r||r ) can be considered as random to the adversary. This point (z  , r ) is sent along with other b − 1 random points. In a query-and-recovery attack, the adversary queries a tag Q times. In every consecutive m queries, the tag uses each of its m polynomials once and in a random order. The problem for the adversary is to recover these polynomials after Q queries. We have the following result.

A Highly Scalable RFID Authentication Protocol

367

Theorem 2. Suppose Assumption 1 holds. If the adversary queries a tag Q times (where we assume that m|Q), then the probability that it can recover any polynomial of the tag within time τ is at most NP I AdvQ/m,mb−m+1,k .

(5)

Proof. We reduce an NPI problem with parameters (S = Q/m, B = mb − m + 1) to a query-and-recover problem. We choose m − 1 random polynomials. For each polynomial, we generate Q/m points from Q/m random x values, and put the Q/m points in the Q/m sets. This becomes a query-and-recover problem of Q queries, m polynomials of degree k, and b points in each answer. Given , m, b, and k, there is a Qmax such that for Q ≤ Qmax , it holds that NP I AdvQ/m,mb−m+1,k ≤ .

Therefore, Qmax is the maximum number of queries allowed for one tag. Qmax can be estimated as Qmax ≈ ((b − 1)m2 + m)k

(6)

(See Appendix B for a detailed analysis). Equation (6) indicates that Qmax increases linearly with m2 and k. mk indicates the memory overhead to store the m polynomials of degree k in a tag. Qmax also increases linearly with b, which indicates the communication overhead and the number of random points the tag needs to generate. 4.2

Compromise and Recovery

In this attack, the adversary compromises some tags, obtains the polynomials assigned to these tags, and tries to recover the bivariate polynomials used in the server side. This is an intermediate step toward impersonation and tracing. First we express the polynomial assignment in the form of a matrix computation. Let ⎛ ⎞ 1 x1 . . . x1 k ⎜ .. ⎟ ⎜ ⎟ . ⎜ ⎟, X=⎜ ⎟ . .. ⎝ ⎠ k 1 xn . . . xn where x1 , . . . , xn are the meta IDs assigned to the n tags. Let M1 , . . . , Mm be (k + 1) × (k + 1) matrices, which are matrix representations of the bivariate polynomials f1 , . . . , fm . Let Yi = XMi . Then Yi is an n × (k + 1) matrix, and row j of Mi corresponds to the univariate polynomial generated using fi and assigned to tag j. We use M [r] to denote the rth row of a matrix M , and M [r][c] to denote the entry at the rth row and cth column of M . It is clear that Yj [i] = X[i]Mj , and the univariate polynomials assigned to tag i are Y1 [i], . . . , Ym [i].

368

J. Wu and D.R. Stinson

For the adversary to recover an Mi , it is necessary to know Yi . Suppose the adversary obtains Yi . He then needs to solve the following system of n(k + 1) equations with n + (k + 1)2 unknown variables: Yi [r][c] =

k 

xr j Mi [j][c],

(7)

j=0

where 0 ≤ r ≤ n − 1, 0 ≤ c ≤ k. A necessary (but maybe not sufficient) condition to solve (7) is n ≥ 2

(k+1)2 . k

We assume that when n ≥ (k+1) , the adversary can solve (7) in a practical time k period τ .1 However, when Y1 [i], . . . , Ym [i] are assigned to the tag xi , their order is randomly permuted. So by compromising n tags, the adversary does not know which n polynomials in the n tags are generated from the same M . We assume that the best he can do is to draw one polynomial from each tag as a row of Yi , and solve x1 , . . . , xn and Mi in (7). With probability 1/mn−1 , the polynomials in Yi are generated from the same bivariate polynomial f . Therefore, we estimate that the probability that the adversary can compute one Mi in time τ is AdvCR = ≤

1 mn−1 1 

(k+1)2

m k = m−k−2 .

(8) 

−1

Remark. After the adversary has compromised n tags, if he also knows the meta IDs x1 , . . . , xn of the tags, then he can use the GS algorithm to recover M1 , . . . , Mm . However, when x1 , . . . , xn are unknown, the GS algorithm is no longer applicable, and we assume that there is no efficient algorithm to solve the problem. It is worthwhile to further investigate the validity of this assumption. 4.3

Impersonation

In the impersonation attack, the adversary tries to impersonate a uncompromised tag to a reader. In the RFID literature, this is often named counterfeiting or cloning. Since cloning implies replicating a tag, we think that impersonation may describe the goal of the adversary better. For example, the adversary may 1

(7) is a system of nonlinear polynomial equations. For general systems of nonlinear polynomial equations where number of unknown variables u equals the number of equations v, there is no efficient algorithm. If the system is overdefined, i.e., v > u, then the linearization technique may sometimes be used to solve the problem efficiently [7]. But for (7), the linearization technique does not work. On the other hand, we cannot rule out the possibility that the special form of (7) may make some efficient algorithms possible. Here we assume that (7) can be solved efficiently. This assumption may underestimate the security of the protocol.

A Highly Scalable RFID Authentication Protocol

369

combine the information gathered from a tag to generate new messages to impersonate a tag, or use the information gather from one tag to impersonate another tag. In both cases, the adversary tries to cheat the reader in a way other than by replicating. The impersonation attack model for RFID should be much weaker than that for conventional cryptographic entity authentication. For example, concurrent attacks (where the adversary concurrently executes multiple sessions with the prover (tag)) and intruder-in-the-middle attacks (where the adversary intercepts and manipulate the messages between the prover (tag) and the verifier (reader)) do not seem to apply to RFID. These attacks originated in the Internet communication model and have not been considered for RFID in the literature. The main concern for RFID is that, in a authentication session, the adversary might be able to use the information collected before to make the reader accept it as a valid and uncompromised tag. This is similar to the smartcard communication model. We analyze the protocol in this scenario. After receiving a challenge r, to make the reader accept it as a valid tag, the adversary A needs to generate a point (r , z  ) such that z  = g(h(r||r )) where g is a polynomial assigned to the tag. As we have analyzed, the adversary cannot learn the polynomials assigned to a tag by querying a tag or compromising other tags. Since A does not know g, he cannot compute z  by evaluating g(). Then A may choose a z  previously generated by the tag. A can do this in a probabilistic way: after observing a query and response from the tag, A randomly picks one point from the response. With probability 1/b, A gets r0 , r0 , and z0 where z0 = f (h(r0 ||r0 )). Then A needs to find r such that h(r||r ) = h(r0 ||r0 ). When r is a random challenge, and the hash function h() is modelled as a random oracle, then the probability that A chooses r such that h(r||r ) = h(r0 ||r0 ) is Pr[h(r  r ) = h(r0  r0 )] (9)     = Pr[h(r  r ) = h(r0  r0 ) ∧ r = r0 ] + Pr[h(r  r ) = h(r0  r0 ) ∧ r = r0 ] ≤ Pr[r = r0 ] + Pr[h(r  r ) = h(r0  r0 )|r = r0 ] 1 1 = l+ l 2 2 1 = l−1 . 2 A may just send random points and hope that at least one of them satisfies z  = f (x , h(r||r )) for a polynomial f ∈ {f1 , . . . , fm } and a valid meta ID x . The probability that this happens is similar to (1). 4.4

Tracing

Now we consider the tracing problem. Suppose that the adversary observes or participates in two authentication sessions as a reader. The problem for the adversary is to tell if the two sessions involve the same tag. The output of a tag is b points. b − 1 of them are random points, and only one point (r , g(h(r||r ))) contains the information related to the tag. As we have

370

J. Wu and D.R. Stinson

analyzed, the adversary cannot learn the polynomials of an uncompromised tag. Without knowing g, only when y1 = h(r||r1 ) = y2 = h(r||r2 ), the adversary can tell that two points (y1 , g(y1 )) and (y2 , g(y2 )) are generated by the same polynomial. When r1 and r2 are generated by the tag at random, and the hash function h() is modelled as a random oracle, the probability that the adversary can trace a tag by its response is Pr[h(r||r1 ) = h(r||r2 )] ≤ Pr[r1 = r2 ] + Pr[h(r||r1 ) = h(r||r2 )|r1 = r2 ] (10) 1 1 = l+ l 2 2 1 = l−1 . 2 Note that if a tag has been queried more than Qmax times, and the adversary can get more information than the tag’s response (i.e., if an authentic reader accepts the tag), then the adversary may trace the tag.

5

Performance

We discuss the performance of the protocol under a concrete parameter setting. We set l = 64, m = 16, k = 8, b = 8, and Qmax = 13700. 5.1

Security and Privacy

The security and privacy provided by the protocol is as follows. – The adversary queries a tag and tries to recover the secret polynomials held by the tag. In each trial, the probability that the adversary can succeed is at most 2−60 (by (5)). – The adversary compromises several tags and tries to determine the secret bivariate polynomials held by the server. In each trial, the probability that the adversary can succeed is at most 2−40 (by (8)). Note that, with probability 2−40 , the adversary only obtains a correct system of nonlinear equations. The system consists of (k + 1)2 + k + 3 unknowns and (k + 1)2 + k + 3 equations. It is not clear whether there is any efficient algorithm to solve the system. – The adversary tries to compute a valid response using messages previously generated by a tag. In each trial, the probability that the adversary can succeed is 2−63 (by (9)). – The adversary answers a query with random responses. In each interaction with the reader, the probability that the adversary is identified as a valid tag is at most 2−22 when N ≤ 232 (by (1)). – The adversary tries to determine if two responses are from the same tag. For each pair of responses from one tag, the probability that the adversary succeeds is at most 2−63 (by 10).

A Highly Scalable RFID Authentication Protocol

371

– The adversary launches a Denial of Service (DOS) attack against a tag by repeatedly querying a tag. After being queried for 13700 times, a tag cannot be accepted by an authentic reader. In addition, an adversary may be able to trace the tag using information in addition to the tag’s response, e.g., if the tag is accepted by an authentic reader. 5.2

Tag

In each session, a tag needs to generate 2b − 1 random numbers in F2l , evaluate a polynomial of degree k over F2l , and compute a hash function. Random number generation and hash computation are considered suitable for symmetric-key tags and have been used in most previous RFID protocols. The tag needs to store m polynomials over F2l , each of degree k. So it needs to store m(k + 1) items of size l. For m = 16, k = 8, l = 64, it takes 9216 bit ROM, corresponding to 9216 gates in hardware. Using Horner’s rule, it takes k modular multiplication over F2l to evaluate a polynomial of degree k. A 64 bit modular multiplier takes several hundred gates in hardware. Therefore, in our protocol, a tag needs about 10000 more gates in hardware than a regular tag capable of hashing computation. As a comparison, if pubic key techniques are used to solve the scalability problem while preserving privacy, then about 20000 gates are required to implement an ECC processor for RFID tags to perform public key computations [9]. 5.3

Server

The server stores m bivariate polynomials of degree k. This requires m(k + 1)2 l/8 ≈ 10K bytes memory. In each session, for each bivariate polynomial f (x, y) and each received point (z  , r ), the reader needs to solve an equation z  = f (x, h(r||r )). Then it checks if the roots are valid meta IDs. There are efficient algorithms to solve polynomials over finite fileds, e.g., Berlekamp’s algorithm [4] and the Cantor-Zassenhaus algorithm [6]. After a meta ID is computed, it takes constant time to check if it is valid. Solving the polynomials dominates the total time in an authentication process. We implemented the reader algorithm based on NTL [1]. On a P4 3.2G PC with 1G RAM running Linux, when m = 16, k = 8, b = 8, and l = 64, the running time using the Cantor-Zassenhaus algorithm in average case (solving mb/2 polynomials of degree k on F2l where l = 64) is about 0.1 seconds for one query. 5.4

Scalability

N (the maximum number of tags ) is at most l bits. N is also limited by the false positive probability given in (1). Given the fixed parameters m = 16, k = 8, b = 8, and l = 64, when the false positive probability is less than 2−22 , N can be as large as 232 , which is sufficient for almost all conceivable applications. Therefore the protocol is highly scalable.

372

5.5

J. Wu and D.R. Stinson

Comparison

We compare our protocol with OSK/AO [3]. Both protocols are secure and untraceable, and both are designed to solve the key search problem to provide good scalability. Time and Space. OSK/AO has a query threshold Qm , which is the length of its hash chain. OSK/AO needs to store a precomputed table of size M . The time for each query follows the rule T =μ

(N Qm )2 M2

where μ is a constant. For N = 220 , Qm = 128, and M = 1GByte, OSK/AO takes 0.004 milliseconds for one query. However, when the number of tags increases, without increasing the table size, the time increases fast. Let M, Qm be fixed, and let T1 , T2 be the time for tag number N1 , N2 respectively. It holds that  2 N2 T2 = T1 . N1 If we consider a system of N = 232 tags, then, OSK/AO will take 67 seconds for one query, using an 1G bytes precomputed table. As a comparison, our protocol takes 0.1 seconds and 10K bytes memory in the server. Query Threshold. In OSK/AO, if a tag is queried more than Qm = 128 times by an adversary between two queries by an authentic server, then the tag cannot be recognized by an authentic reader. In our protocol, if a tag is queried a total Qm = 13700 times, then it cannot be recognized by an authentic reader. In 3 2 OSK/AO, the time for one query √ increases in Qm (instead of Qm ). In our protocol, the time increases in Qm . Therefore, the query threshold Qm in our protocol is much higher. However, OSK/AO does not have a limit on the total number of queries for a tag, although it is more susceptible to tag disable attacks where an adversary repeatedly queries a tag in a short time. On the contrary, our scheme is more resilient to tag disable attacks, but there is a limit on the total number of times that a tag can be queried. Which approach is better depends on how frequently a tag is queried. For example, in a library RFID system where a tag may be queried several times a day, the OSK/AO scheme may be desirable. In some other applications such as e-passport where a tag is queried every several weeks or months, our protocol may be preferable. Tag Hardware. The main drawback of our protocol compared to OSK/AO may be the hardware cost on the tag side, which is about 10000 more gates in hardware.

6

Conclusion

In this paper, we proposed a novel RFID protocol to solve the key search problem in RFID identification protocols. In previous RFID protocols, a hash-chain

A Highly Scalable RFID Authentication Protocol

373

is used to achieve good privacy. In such protocols, to identify a tag, a sever needs to search a table of size N Q, where N is the number of tags and Q is the length of the hash chain. The search takes either Θ(N Q) time or Θ(N Q) memory, and therefore it does not scale well. A time-memory tradeoff technique can mitigate the scalability problem. However, with the time-memory tradeoff, either the time or the space is still at least Θ((N Q)2/3 ). In our protocol, the server “solves”, instead of “searches”, for a tag ID. The protocol is based on polynomial operation, and its security and privacy is based on the difficulty of reconstructing a polynomial with noisy data. The protocol supports very large N Q values. In our demo implementation where N = 232 , Q = 13700, the server takes 0.1 seconds and 10K bytes memory to identify a tag. As a comparison, a hash-chain protocol enhanced with time-memory tradeoff will take 67 seconds with the support of a 1G bytes pre-computed table. At the same time, our protocol preserves security and privacy.

References 1. NTL: A library for doing number theory, http://www.shoup.net/ntl/ 2. Avoine, G., Dysli, E., Oechslin, P.: Reducing time complexity in RFID systems. In: Preneel, B., Tavares, S.E. (eds.) SAC 2005. LNCS, vol. 3897, pp. 291–306. Springer, Heidelberg (2006) 3. Avoine, G., Oechslin, P.: A scalable and provably secure hash-based RFID protocol. In: PerCom Workshops, pp. 110–114. IEEE Computer Society, Los Alamitos (2005) 4. Berlekamp, E.R.: Factoring polynomials over finite fields. Bell Systems Technical Journal (46), 1853–1859 (1967) 5. Bleichenbacher, D., Nguyˆen, P.Q.: Noisy Polynomial Interpolation and Noisy Chinese Remaindering. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 53–69. Springer, Heidelberg (2000) 6. Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comp. 36(154), 587–592 (1981) 7. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations (2000) 8. Dimitriou, T.: A lightweight RFID protocol to protect against traceability and cloning attacks. In: SECURECOMM 2005: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, Washington, DC, USA, pp. 59–66. IEEE Computer Society, Los Alamitos (2005) 9. F¨ urbass, F., Wolkerstorfer, J.: ECC processor with low die size for RFID applications. In: ISCAS, pp. 1835–1838. IEEE Computer Society Press, Los Alamitos (2007) 10. Guruswami, V., Sudan, M.: Improved decoding of Reed-Solomon and algebraicgeometry codes. IEEE Transactions on Information Theory 45(6), 1757–1767 (1999) 11. Henrici, D., M¨ uller, P.: Hash-based enhancement of location privacy for radiofrequency identification devices using varying identifiers. In: PerCom Workshops, pp. 149–153. IEEE Computer Society Press, Los Alamitos (2004) 12. Juels, A.: Minimalist cryptography for low-cost RFID Tags. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 149–164. Springer, Heidelberg (2005)

374

J. Wu and D.R. Stinson

13. Juels, A.: RFID security and privacy: a research survey. IEEE Journal on Selected Areas in Communications 24(2), 381–394 (2006) 14. Kkiayias, A., Yung, M.: Directions in polynomial reconstruction based cryptography. IEICE Transactions on Fundamentals of Electronics, Communications and Computer E87-A(5), 978–985 (2004) 15. Kkiayias, A., Yung, M.: Cryptographic hardness based on the decoding of ReedSolomon codes. IEEE Transactions on Information Theory 54(6) (2008) 16. Molnar, D., Wagner, D.: Privacy and security in library RFID: issues, practices, and architectures. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 210–219. ACM Press, New York (2004) 17. Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: STOC 1999: Proceedings of the thirty-first annual ACM symposium on Theory of computing, pp. 245–254. ACM Press, New York (1999) 18. Naor, M., Pinkas, B.: Oblivious polynomial evaluation. SIAM J. Comput. 35(5), 1254–1281 (2006) 19. Ohkubo, M., Suzuki, K., Kinoshita, S.: Efficient hash-chain based RFID privacy protection scheme. In: International Conference on Ubiquitous Computing Ubicomp, Workshop Privacy: Current Status and Future Directions (2004)

Appendix A

Discussion on NPI and Exhaustive Search and Deletion

NP I We discuss the optimal choices of n and β for A to achieve AdvS,B,k . It is difficult to give an analytic result, so here we discuss this question based on some simulations. Figure 1 shows PN P I (S, B, k, n, β) as a function of n and β for 1 ≤ n ≤ Bk + 1, 1 ≤ β ≤ B, B = 5 and k = 5. We see that when n approaches Bk + 1 and β approaches B, PN P I increases sharply to 1. That indicates that if there are enough sets of points (s ≥ Bk + 1), then the adversary can easily recover the polynomial. Figure 2 shows PN P I (S, B, k, n, β) as a function of n and β for 1 ≤ n ≤ S, 1 ≤ β ≤ B, B = 5, k = 5 and S = 83 ≤ Bk. There are two points that have peak values among their vicinities in the graph. One is at n = k + 2 and β = 1, the other is at n = 83 = S and β = 13. We note that, if we use the exhaustive search approach, we will choose n = k + 1 and β = 1, and then we have PN P I (S, B, k, k + 1, 1) = 0.1 × 10−7 which is lower than the peak value where PN P I (S, B, k, k + 2, 1) = 0.8 × 10−7 , but the difference is small in view of their magnitudes. Also, the point (n = k + 1, β = 1) for exhaustive search is close to that for the peak value at (n = k + 2, b = 1). If we take the exhaustive deletion approach, then we will choose n = S = 83, β =  Sk  − 1 = 16, and have PN P I (S, B, k, 83, 16) = 0.4 × 10−8 which is lower than the other peak value PN P I (S, B, k, 83, 15) = 0.4 × 10−7 , but difference is small in view of their magnitudes. Also the point for exhaustive search (n = 83, β = 16) is close to that for the peak value at (n = 83, β = 15).

A Highly Scalable RFID Authentication Protocol

375

1 0.8 0.6 P 0.4 0.2 0 0 20

5 40 60

n

15

80 100

10 b

20

Fig. 1. PNP I when S ≥ Bk + 1 .

8e–08 6e–08 P 4e–08 2e–08 0 0 5

20 40 n 15

60 80

10 b

20

Fig. 2. PNP I when S < Bk .

The above observation leads to the conjecture that, for S < Bk +1, the results of exhaustive search and exhaustive deletion are close to the best strategy for the adversary. Then the advantage of the adversary may be estimated as

376

J. Wu and D.R. Stinson

 NP I AdvS,B,k = max

B

1 B

k+1



 S , PN P I S, B, k, S, −1 . k

Discussion on Interrogation Threshold

For the protocol to be secure, we require that the advantage of the adversary is no more than a given . It is not clear how to directly compute Qmax (or equivalently nmax = Qmax /m) for given . We give the following estimate. In Figure 1, we see that P (S, B, k, n, k) = 1 when n = Bk + 1, and P (S, B, k, n, k) decreases sharply to 0 when n decreases. This implies that nmax is less than Bk and may be close to Bk. Correspondingly, in the query-and-recovery attack, Qmax is close to ((b − 1)m2 + m)k. We compare Qmax for given  and different sets of m, b, k values and ((b − 1)m2 + m)k in Table 1. Table 1. Estimation of Qmax m 5 10 15 20 25 30 35 40 45 50

Qmax ((b − 1)m2 + m)k 420 525 1860 2050 4290 4575 7720 8100 12150 12625 17580 18150 24010 24675 31440 32200 39870 40725 49300 50250

Qmax ((b−1)m2 +m)k

0.80 0.90 0.94 0.95 0.96 0.97 0.97 0.98 0.98 0.98

The results show that Qmax and ((b − 1)m2 + m)k are close. Therefore, we can estimate that Qmax ≈ ((b − 1)m2 + m)k.

Strengthening the Security of Distributed Oblivious Transfer K.Y. Cheong, Takeshi Koshiba, and Shohei Nishiyama Division of Mathematics, Electronics and Informatics, Graduate School of Science and Engineering, Saitama University 255 Shimo-Okubo, Sakura, Saitama 338-8570, Japan {kaiyuen,koshiba,shohei}@tcs.ics.saitama-u.ac.jp

Abstract. We study the distributed oblivious transfer first proposed by Naor and Pinkas in ASIACRYPT 2000, and generalized by Blundo et al. originally in SAC 2002 and Nikov et al. in INDOCRYPT 2002. One major objective of distributed oblivious transfer is to achieve information theoretic security under specified conditions through the distribution of the functions of traditional oblivious transfer to a set of neutral parties. In this paper we revise the definition of distributed oblivious transfer in order to deal with stronger adversaries and clarify possible ambiguities. Under the new definition, we observe some impossibility results and derive the upper bounds for the system parameters (with respect to the size of coalition). The weak points of previously proposed schemes based on threshold secret sharing schemes using polynomial interpolation are reviewed and resolved. We generalize the results and prove that, by adjusting some technical details, a previous scheme proposed by Nikov et al. is unconditionally secure. This protocol is efficient and achieves the parameter bounds at the same time. Keywords: oblivious transfer, secret sharing scheme, information theoretic security.

1

Introduction

Oblivious Transfer (OT) is a two-party cryptographic protocol. In the first OT system introduced by Rabin [12], a message is received with probability 1/2 and the sender does not know whether his message reaches the other side. Later, Even et al. defined the 1-out-of-2 OT [6], where the sender has two secrets ω0 and ω1 and the receiver can choose one and only one of them in an oblivious manner. That is, the sender cannot know the receiver’s choice σ ∈ {0, 1} and the receiver cannot know any information on ω1−σ as he gets ωσ . The more general 1-out-of-N OT (where the sender has N secrets), the more specific 1-out-of-2 bit OT (where the secrets are one bit long), are similarly defined and the reductions among them have been discussed [2,3,5]. Also, Rabin’s OT and the 1-out-of-2 OT are equivalent, as shown by Cr´epeau in [4]. In this paper we focus on the 1-outof-2 OT. OT protocols are important building blocks of modern cryptography. Most notably, any secure multi-party computation can be based on OT [8,9,14]. C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 377–388, 2009. c Springer-Verlag Berlin Heidelberg 2009 

378

K.Y. Cheong, T. Koshiba, and S. Nishiyama

By simple arguments it can be shown that OT can only be computationally secure for either the sender or receiver, without involving extra parties or special communication channels. If information-theoretic security is desired for both sides, some more structures are needed. Distributed OT (DOT), proposed by Naor and Pinkas [10], achieves this. In their DOT, the sender interacts with M servers to distribute the secrets. After that, the receiver communicates with any m servers to get one secret. The scheme makes use of properties of polynomials as in Shamir’s classic secret sharing scheme [13], which gives the fundamental framework of most other DOT schemes proposed later. For example, Blundo et al. [1] extended the work of [10] to the case of 1-out-of-N OT. Also in [1], the first DOT scheme not using polynomials was proposed. Taking the idea of [10], another DOT scheme has been suggested by Nikov et al. in [11], using only a different polynomial. In their work, the 1-out-of-2 OT can also be extended to 1-out-of-N OT. Moreover, they gave a general access structure protocol implementing the 1-out-of-N OT. Also, some general lower bounds for computational resources and system parameters (with respect to the size of coalition) in DOT have been derived in [1] and [11] respectively. Recently, Ghodosi [7] revealed some weak points of the DOT scheme in [10] and showed some possible attacks. As the protocol in [10] uses a restricted form of Shamir’s threshold secret sharing scheme based on polynomial interpolation, Ghodosi pointed out that such restriction causes the weak points of the DOT scheme even though the original secret sharing scheme is perfectly secure. These attacks may apply to similar schemes in [1] too. The protocol in [11] is mostly immune to the attacks but still not perfectly secure. In this paper, we work on polynomial-based DOT, but the essential properties of the general DOT are first discussed in Section 2. We try to define DOT in simpler terms and to cope with stronger adversaries. Under the new definition, in Section 3 we derive some upper bounds for system parameters measuring the strength of adversaries, partially similar to the results in [11]. The framework by [10] for all DOT schemes based on polynomials is then introduced in Section 4.1. Problems related to Ghodosi’s attacks are discussed in details in Section 4.2. Based on the results of [11], we then construct a protocol in Section 5.1. We use it to develop a scheme with provable security in information theoretic sense.

2

Defining DOT

In this paper, we try to define DOT generally. The desired properties of a DOT system are listed, though some of them may be optional. As in traditional OT, a 1-out-of-2 DOT protocol involves a sender with secrets (ω0 , ω1 ) and a receiver with a choice σ ∈ {0, 1}. In addition, in DOT there is a set of m neutral servers. The sender interacts with the servers to dedicate the task of OT to them. The receiver follows the protocol to get ωσ from the servers. In our definition of DOT, the interactions between all parties have the following properties: 1. Each single party has a secure and private communication channel with any other party. This is the basic assumption even if some channels are not used.

Strengthening the Security of Distributed Oblivious Transfer

379

2. The sender and the receiver do not communicate with each other. 3. If all parties are honest, the interactions between the sender and the servers are finished before the interactions between the receiver and the servers begin. In practice, the servers may have to notify the receiver when it is possible for him to start his part of the protocol. With the properties of DOT described above, when the sender has finished his part of protocol, it is possible for the receiver to halt the protocol for some time before he starts it again, if he ever does. The presence of the sender is not required during that time. This gives an advantage in various situations, for example, if it is uncertain when the receiver will request the OT, or if the sender is not supposed to know (or predict) the identity of the receiver. Next, the DOT protocol must guarantee the following functional properties: 1. Correctness: If all parties are honest, when the protocol is finished the receiver can always compute ωσ . 2. Receiver’s privacy: The (malicious) sender cannot get any information about σ of an honest receiver, even if he is in coalition with λ1 corrupted servers. 3. Sender’s privacy against receiver: For any coalition of the receiver and λ2 servers, if they obtain any information about one secret of the honest sender, then they get no information about the other secret. 4. Sender’s privacy against servers: A coalition of λ3 corrupted servers gains no information about any of the honest sender’s secrets. Our DOT has three system parameters as shown above. The larger they are, the more secure the protocol is. If λ1 = λ2 = λ3 = 0 then this DOT is a trivial OT achieved through a trusted third party. When giving the parameters, we assume a corrupted party is corrupted the whole time the protocol is run. In our definition of DOT, the security requirements are made as simple as possible. This is not only for simplicity but also for the largest freedom of the adversaries. We have three parameters due to three possible types of malicious parties, each going after a different objective: 1. A party not including the receiver may try to obtain information on σ. 2. A party including the receiver but not the sender may try to obtain information on both ω0 and ω1 , while they are entitled to only one of them. 3. A party including neither the sender nor the receiver may try to obtain information on ω0 , ω1 , or both. By simple arguments it is known that traditional OT is automatically secure against eavesdropping. Therefore the last type of adversary above is related to DOT only. Note that our definition of DOT is slightly different from the previous schemes [1,10,11]. First, we do not assume the existence of a measure to limit receiver’s access to the servers, so the receiver will contact all servers rather than a subset of them. Next, in all previous DOT schemes, the definition of receiver’s privacy is against the servers only. The sender is assumed to be honest and not discussed. In our study the sender may actively cheat.

380

K.Y. Cheong, T. Koshiba, and S. Nishiyama

Also, in the DOT definitions in [10] and [11], the sender can only send one message to each server. After that, only one round (two messages) of communication is allowed between the receiver and each server. This one-round DOT assumption suffices for polynomial-based schemes, but is not true for a general DOT. For example, in [1] a two-round DOT was proposed. In this paper we do not limit the number of rounds of communication between any parties, such that a larger family of possible DOT protocols will be included. We believe our definition of DOT is simpler than others as a result. It also copes with stronger adversaries due to larger freedom on the possible malicious behaviors.

3

The Upper Bounds

We now show a simple upper bound for the system parameters λ1 and λ2 for a fixed m. We show that m > λ1 + λ2 . For contradiction, consider m ≤ λ1 + λ2 . As a party can always corrupt fewer servers than allowed, it suffices to show that even the case m = λ1 + λ2 leads to insecurity of the DOT. We now proceed to the proof of insecurity. Assume in one case, due to the absence of neutral servers, the sender agree to simulate by himself the first λ1 servers and the receiver the remaining λ2 servers, in order to achieve the function of a traditional OT. If both sides are fully honest, this clearly will give the desired result in terms of correctness. In traditional OT, information-theoretic security cannot be achieved for both sides, even for the semi-honest model. Therefore, one side (Alice) is at most only protected computationally. Replace the other side (Bob) with a semi-honest but computationally unlimited machine, it is clear that Bob will violate Alice’s privacy without being detected. Next, replace all servers with neutral ones. But the malicious Bob can corrupt the servers which have been simulated by him earlier. He can then act semi-honest with the corrupted servers. Alice and the honest servers will not detect anything wrong while security is actually broken. As a result, DOT can only be achieved if m > λ1 + λ2 . This is the same as the bound shown in [11], but in [11] it is only shown for one-round DOT. Actually this is true in general. Note that this bound is tight in two ways. First, DOT can be achieved with m = λ1 + λ2 + 1. The actual protocols are discussed in this paper. Also, our new definition of DOT is closely related to this new bound, as DOT schemes overcoming this bound in some ways have been constructed in [1] by assuming that the sender is honest. On the other hand, for λ3 , it is clear that m > λ3 because all OT functions are dedicated to the m servers when the sender finishes his part of protocol and goes offline. A coalition of m servers can get all of the sender’s secrets. In this paper we show that DOT can be achieved for m = λ3 + 1.

4 4.1

DOT Based on Polynomials The Original Scheme

First proposed by [10], a DOT scheme based on polynomials has the following structure:

Strengthening the Security of Distributed Oblivious Transfer

381

1. Sender starts with two secret numbers (ω0 , ω1 ) smaller than security parameter p and generates in finite field Fp (modulus p) a random polynomial Q(x, y) such that Q(0, 0) = ω0 and Q(0, 1) = ω1 . 2. There are m servers, named by integer 1 to m. To each server i the sender sends Q(i, y) as a polynomial in y. 3. The receiver generates S(x) such that S(0) = σ, his choice of secret. He sends S(i) to each server i. 4. Define R(x) = Q(x, S(x)). Server i calculates R(i) = Q(i, S(i)) and sends it to the receiver. 5. The receiver now has m points of R(x) to interpolate the polynomial. Then he calculates R(0) = Q(0, S(0)) = ωσ . There are a number of different ways of choosing Q(x, y) and S(x) that differentiate the few schemes proposed previously. For correctness, we have to make sure R(x) is of degree m − 1 or lower. Apparently, for receiver’s privacy S(x) should be of degree λ1 or above. The structure of the polynomials has to be specified but all coefficients should be randomly selected to provide the best security. In [10], two actual schemes were proposed. In both schemes, S(x) is random with degree ds . The only difference is Q(x, y). In the first scheme, we have: Q(x, y) =

m−1 

aj xj + b1 y + b0 .

(1)

j=1

In [10] it is known that this choice of Q(x, y) is insecure when one server is corrupted by the receiver. This is because the receiver can run the DOT honestly to obtain ω0 = b0 and then the corrupted server can get ω1 = b1 + b0 because b1 is known by all servers. To avoid this problem, the second scheme in [10] is proposed. The choice of Q(x, y) is a full polynomial: Q(x, y) =

dy dx  

aj,l xj y l

(2)

l=0 j=0

with dx + dy ds = m − 1. However, in [7], this scheme is also shown to have some security problems. 4.2

Security Concerns

First of all, as shown in the first attack in [7], if S(x) is restricted to be of degree ds = λ1 , a problem for receiver’s privacy will occur. A coalition of ds servers has 1 a small advantage of guessing σ = S(0). With probability p−1 the value of σ is exposed with certainty. Therefore, with this attack, the overall probability of 1 guessing σ is 12 + 2p−2 rather than the neutral 12 , if σ is uniformly distributed in the first place. Actually, we can generalize this observation to show that, with a coalition of even fewer corrupted servers, a slight advantage for guessing S(0) always exists.

382

K.Y. Cheong, T. Koshiba, and S. Nishiyama

Using the same method in [7], we define: S(x) = S  (x) =

ds  j=0 dc 

sj xj sj xj

(3)

j=0

where S(x) is the secret polynomial and S  (x) is constructed by the dc + 1 points of S(x) obtained by the cheating servers such that S(x) = S  (x) at these points. If ds = dc then S(x) can be fully determined. Otherwise dc < ds and the equation S(x) − S  (x) = 0 is expressed as (s0 − s0 ) + (s1 − s1 )x + . . . + (sdc − sdc )xdc + sdc +1 xdc +1 + . . . + sds xds = 0. (4) For the sake of convenience we define sj = 0 for ds ≥ j > dc . Now, as a hypothesis concerning the unknown S(x), consider the possible case that (s0 , s1 , . . . sds −dc −1 ) = (s0 , s1 , . . . sds −dc −1 ). Then the equation of (4) may be reduced to (sds −dc −sds −dc )xds −dc +(sds −dc +1 −sds −dc +1 )xds −dc +1 +. . .+(sds −sds )xds = 0. (5) Denote by βi the identity of the ith cheating server, this gives ⎛ ds −dc ds −dc +1 ⎞⎛ ⎞ ⎛ ⎞ β1 β1 . . . β1ds sds −dc − sds −dc 0 ⎜ β2ds −dc β2ds −dc +1 . . . β2ds ⎟ ⎜ sds −dc +1 − sd −d +1 ⎟ s c ⎜ ⎟⎜ ⎟ ⎜ .. ⎟ (6) ⎜ . ⎟=⎝.⎠ .. .. ⎟ ⎜ .. ⎝ .. ⎠ . . . ⎠⎝ 0 −dc ds −dc +1 sds − sds βdds+1 βd +1 . . . βdds+1 c

c

c

leading to the conclusion that sds = 0 by solving this system of equations with nonzero Vandermonde determinant. This is a contradiction because the degree of S(x) is ds . Therefore the hypothesis is refuted and we know for certain that (s0 , s1 , . . . sds −dc −1 )  = (s0 , s1 , . . . sds −dc −1 ). This eliminates one possibility on the value of (s0 , s1 , . . . sds −dc −1 ). As σ = s0 , if it happens that s0 equals 0 or 1, then we can conclude that s0 = 1 − σ is slightly more likely than s0 = σ. For the case where dc = ds − 1 as shown in [7], we can simply know that s0 = 1 − σ. Therefore, the receiver’s privacy is not perfectly protected. Furthermore, even in the case of a coalition of ds servers, the coalition can simulate a coalition of fewer servers. Combining the results, the adversary can actually guess σ with a 1 probability larger than 12 + 2p−2 in this new attack. Next, in the second scheme of [10] as shown in (2) above, the degree of R(x) = Q(x, S(x)) is dependent on S(x). This is a security problem for the honest sender if the receiver is cheating. As illustrated in the second attack in [7], the minimum degree of R(x) is dx when S(x) has zero degree. The receiver can use S(x) = 0 to communicate with the first dx + 1 servers to obtain ω0 , and use S(x) = 1 to interact with the next dx + 1 servers to get ω1 . This attack works when

Strengthening the Security of Distributed Oblivious Transfer

383

m ≥ 2dx + 2, even if no server is corrupted. If λ2 servers are corrupted by the receiver the attack can work for m ≥ 2dx + 2 − λ2 . Also, this attack seems to apply to one of the schemes in [1] having the same type of structure. 4.3

Ideas on Security Fix

The first problem is for receiver’s security. To resolve it we simply allow more freedom on the choice of S(x). We can set S(x) to be random with degree no larger than λ1 . The actual degree is only known by the receiver. This is enough to ensure correctness as the degree of R(x) will not be increased. The only restriction is S(0) = σ. That is: S(x) =

λ1 

sj xj + σ

(7)

j=1

where each sj is uniformly distributed in Fp . In this case the value of S(0) is uniformly distributed, thus perfectly secret, in the view of any party knowing fewer than λ1 + 1 other points of S(x). The second security issue threatens sender’s privacy. One solution is to ensure that the degree of R(x) is not dependent on S(x). This can be done by the following general construction. The structure of Q(x, y) is slightly modified to  Q(x, y) = aj,l xj y l (8) j,l∈N

where j, l are nonnegative integers and aj,l is random if j + lλ1 ≤ m − 1, otherwise aj,l = 0. This is a more general form of Q(x, y) compared with (2) and the number of coefficients aj,l is increased. With this Q(x, y), it is clear that the degree of R(x) does not exceed m − 1 as long as the degree of S(x) does not exceed λ1 . Also, the degree of R(x) is independent of S(x) such that the attack in [7] against the sender no longer works. This general structure is provably secure. In the next section we provide a specific scheme for it.

5 5.1

The Secure DOT Scheme A Sub-protocol

In this paper we introduce a DOT protocol and prove its security in information theoretic sense, leaving no doubt on how secure it is. Also, m = λ1 + λ2 + 1 = λ3 + 1, reaching the upper bounds of the parameters. First, by choosing a special case of the general case in (8), we give the following much simplified Q(x, y) by setting aj,l = 0 when l > 1. Practically this limits the degree of y in Q(x, y) to one, and it becomes Q(x, y) = B0 (x) + B1 (x)y (9) where B0 (x) has degree at most m − 1 and B1 (x) is of degree at most λ2 . These polynomials are the same as those in the scheme of [11] except the specifications

384

K.Y. Cheong, T. Koshiba, and S. Nishiyama

on their degrees. Only B0 (0) and B1 (0) are relevant to sender’s secrets and all other coefficients are random in Fp . Next, we use this structure as a sub-protocol, as it is still not fully secure for the sender, because the receiver can actually get a linear combination of the sender’s secrets. In particular, if S(0) = α then the receiver can get B0 (0) + αB1 (0) for any value of α, without being detected that α may not be zero or one. In the full DOT scheme this will be handled. But for the sub-protocol we allow this to happen, and the receiver will get B0 (0) + αB1 (0) for any α of his choice but nothing more. To summarize we have the following structure: 1. The sender begins with secret numbers a0 and b0 , the receiver begins with secret α, all in Fp . The receiver is allowed to obtain a0 + αb0 while the sender should get nothing. 2. The sender generates randomly (a1 , . . . am−1 ) and (b1 , . . . bλ2 ) all in Fp and constructs: B0 (x) =

m−1 

aj xj + a0

j=1 λ2 

B1 (x) =

bj xj + b0

j=1

Q(x, y) = B0 (x) + B1 (x)y

(10)

3. The receiver generates randomly (s1 , . . . sλ1 ) in Fp to construct: S(x) =

λ1 

sj xj + α

(11)

j=1

4. There are m servers named 1 to m. The sender sends each server i the values of B0 (i) and B1 (i). The receiver sends each server i the value of S(i). 5. Let R(x) = Q(x, S(x)). Each server i calculates R(i) = B0 (i) + B1 (i)S(i) and sends it to receiver. 6. The receiver interpolates m points of R(x) to solve it fully. After that the value of R(0) = a0 + b0 α can be calculated. 5.2

Correctness and Security

If the protocol above is followed, correctness is straightforward as the degree of R(x) is at most m − 1. Next, it is clear that the receiver’s privacy is ensured. As S(x) is a random polynomial of degree no larger than λ1 , the view for α = S(0) is uniformly distributed given λ1 or fewer other values of S(x). For sender’s privacy against receiver, we show that the receiver can obtain at most a linear combination of the sender’s two secret numbers, fulfilling the objective of the sub-protocol. A receiver corrupting server i can do no better than obtaining B0 (i) and B1 (i) directly. On the other hand, if server i is not corrupted, the receiver can get B0 (i) + B1 (i)yi for any yi selected. As there are

Strengthening the Security of Distributed Oblivious Transfer

385

m − λ2 honest servers, the collection of all these yi implicitly corresponds to some S(x) of degree at most m − λ2 − 1 = λ1 such that S(i) = yi . Therefore, the choice of yi of any malicious receiver will actually be the same as some honest receiver choosing S(x). The value of S(x) is known by the receiver: S(x) =

λ1 

sj xj .

(12)

j=0

So the malicious receiver will at least know the value of a0 + b0 s0 . If we can show that the receiver can only get a linear combination of a0 and b0 , this is exactly what he gets. The receiver gets 2λ2 equations from the corrupted servers, and m − λ2 equations in the form of B0 (i)+B1 (i)S(i) = vi from honest server i. All the coefficients of B0 (x) and B1 (x) are the unknowns and therefore there are m+λ2 +1 of them. There are more unknowns than equations so it is impossible to solve them fully. In particular, with all the information on B1 (x) from the cheating servers alone, the receiver gets the vector ⎛ ⎞⎛ ⎞ 1 β1 β12 . . . β1λ2 b0 ⎜ .. .. ⎟ ⎜ .. ⎟ .. (13) ⎝. . . ⎠⎝ . ⎠ 1 βλ2 βλ22 . . . βλλ22

bλ2

where βi is the identity of the ith cheating server. Using the property of Vandermonde matrices, the receiver can now express each of (b1 , b2 , . . . bλ2 ) as a linear function of b0 , as there is one more unknowns than equations. From this, for any i the value of B1 (i)S(i) is now also a linear function of b0 . An honest server i would give the receiver the value of vi = B0 (i) + B1 (i)S(i). In such a case B0 (i) = vi − B1 (i)S(i) can also be expressed as a linear function of b0 . On the other hand, if i is a cheating server then B0 (i) is known directly as a number. Collectively all information about B0 (x) can now be expressed: ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ 1 1 1 ... 1 a0 u1 2 m−1 ⎜1 2 2 ... 2 ⎟ ⎜ ⎟⎜ . ⎟ ⎜ . ⎟ (14) ⎜ .. .. ⎟ ⎝ .. ⎠ = ⎝ .. ⎠ .. ⎝. . . ⎠ am−1 um 1 m m2 . . . mm−1 where every ui is a known linear function of b0 (or a constant, which is still a linear function of b0 ). Using Vandermonde matrices again, it is clear that the receiver can solve a0 as a linear function of b0 . This implies that the value of a0 + αb0 can be known for some α, while the exact value of (a0 , b0 ) is unknown. To conclude, in every possible case, the view of the receiver allows him to know a0 + s0 b0 only. Other than that, the freedom of a0 and b0 remains. Therefore, a0 + s0 b0 is all the receiver can get, fulfilling the security requirement of the sub-protocol. For sender’s privacy against servers, it is clear that a coalition of λ3 servers gets no information about a0 due to missing information on B0 (x). But they can

386

K.Y. Cheong, T. Koshiba, and S. Nishiyama

get b0 (as λ3 > λ2 ), which means they also seem to get a linear combination of secrets. The important difference is that they do not have the freedom to choose the combination. Due to this, in the next section we can show the security of the full protocol. 5.3

Full Protocol Avoiding Linear Combination

We note that it is important to prevent the receiver from getting a linear combination of the secrets. In particular, OT security should not depend on what is already known about the secrets when the protocol is started. For example, if ω0 is known to be a multiple of a number K, and ω1 is smaller than K, then the knowledge of ω0 + ω1 can reveal both secrets. To ensure the receiver really only gets one secret, the method suggested in [10] is used. The sub-protocol is run twice in parallel. For the first time, two random values of γ0 and γ1 are generated by the sender and the sub-protocol is run with a0 = γ0 and b0 = γ1 − γ0 . For the second time, the values of γ0 ω0 and γ1 ω1 are used, where (ω0 , ω1 ) are the real secrets. In this run a0 = γ0 ω0 and b0 = γ1 ω1 − γ0 ω0 . The receiver then starts his part of protocol but only one S(x) is used, with each honest server i receiving yi = S(i) only once. This effectively allows the receiver to get Aγ0 + Bγ1 and Aγ0 ω0 + Bγ1 ω1 for any A and B with A+B  = 0 mod p. The receiver is honest whenever A = 0 or B = 0. In this case, the required secret ωσ can be obtained directly. Otherwise, the receiver gets the value of the vector:



A B γ0 (15) Aω0 Bω1 γ1 such that each possible pair of (ω0 , ω1 ) with ω0  = ω1 corresponds to a unique pair of (γ0 , γ1 ), giving no information on (ω0 , ω1 ). To make sure ω0  = ω1 we need to add some special rules to the DOT. For example, it can be that all sender’s secrets are odd numbers, but the sender can randomly choose to add one to any of them before putting them as the input of the DOT. In the case that the two secrets are equal, one and only one of them is changed to an even number. Although the message space is reduced by half, it can be handled by choosing a larger p. On the other hand, for sender’s privacy against λ3 servers, it is now obvious that all the malicious servers get is the vector in (15) with A = −1 and B = 1. Therefore they receive no information about the sender’s secrets in the DOT scheme. This protocol achieves full security of DOT, and reaches the upper bounds for all parameters. The protocol is highly efficient for the servers, as each of them only receives five numbers and returns two simple functions of them. With a fixed value of m, parameters λ1 and λ2 can be adjusted freely before the protocol begins. This gives an advantage when one of the sender or receiver is more trustworthy than the other.

Strengthening the Security of Distributed Oblivious Transfer

6

387

Extension and Concluding Remarks

Our scheme can be extended to 1-out-of-N DOT. The result is basically same as [11]. The only difference is that all polynomials should be allowed to have any degree smaller than their corresponding maximum. Techniques to keep the receiver from getting a linear combination of secrets are required too. This scheme can also be extended to the case where M servers are available, but the receiver is only allowed to communicate with any m of them, including the servers corrupted by him. In this case, exactly the same protocol can be used, with the sender communicating with all servers and the receiver only m of them. To conclude, in this paper we revise the definition of DOT with stronger adversaries and fewer other assumptions. Then we generalize the concept of [10] in order to construct a secure DOT protocol based on polynomials. After considering some known attacks, we show a secure example based on [11]. For the first time, we prove the DOT security explicitly. We also show the general bounds of DOT, which are reached by the system parameters of our scheme.

References 1. Blundo, C., D’Arco, P., De Santis, A., Stinson, D.: On unconditionally secure distributed oblivious transfer. Journal of Cryptology 20(3), 323–373 (2007); A preliminary version appeared in Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 291–309. Springer, Heidelberg (2003) 2. Brassard, G., Cr´epeau, C., Santha, M.: Oblivious transfers and intersecting codes. IEEE Transactions on Information Theory 42(6), 1769–1780 (1996) 3. Brassard, G., Cr´epeau, C., Wolf, S.: Oblivious transfers and privacy amplification. Journal of Cryptology 16(4), 219–237 (2003) 4. Cr´epeau, C.: Equivalence between two flavours of oblivious transfer. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 350–354. Springer, Heidelberg (1988) 5. Cr´epeau, C., Savvides, G.: Optimal reductions between oblivious transfers using interactive hashing. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 201–221. Springer, Heidelberg (2006) 6. Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Communications of the ACM 28(6), 637–647 (1985) 7. Ghodosi, H.: On insecurity of Naor-Pinkas’ distributed oblivious transfer. Information Processing Letters 104(5), 179–182 (2007) 8. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Proc. 19th ACM Symposium on Theory of Computing, pp. 218–229 (1987) 9. Kilian, J.: Founding cryptography on oblivious transfer. In: Proc. 20th ACM Symposium on Theory of Computing, pp. 20–31 (1988) 10. Naor, M., Pinkas, B.: Distributed oblivious transfer. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 205–219. Springer, Heidelberg (2000)

388

K.Y. Cheong, T. Koshiba, and S. Nishiyama

11. Nikov, V., Nikova, S., Preneel, B., Vandewalle, J.: On unconditionally secure distributed oblivious transfer. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 395–408. Springer, Heidelberg (2002) 12. Rabin, M.: How to exchange secrets by oblivious transfer, Technical Report TR-81, Aiken Computation Laboratory, Harvard University (1981) 13. Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979) 14. Yao, A.C.-C.: Protocols for secure computations. In: Proc. 23rd IEEE Symposium on Foundations of Computer Science, pp. 160–164 (1982)

Towards Denial-of-Service-Resilient Key Agreement Protocols Douglas Stebila1 and Berkant Ustaoglu2 1

Information Security Institute, Queensland University of Technology, Brisbane, Australia [email protected] 2 NTT Information Sharing Platform Laboratories, Tokyo, Japan [email protected]

Abstract. Denial of service resilience is an important practical consideration for key agreement protocols in any hostile environment such as the Internet. There are well-known models that consider the security of key agreement protocols, but denial of service resilience is not considered as part of these models. Many protocols have been argued to be denialof-service-resilient, only to be subsequently broken or shown ineffective. In this work we propose a formal definition of denial of service resilience, a model for secure authenticated key agreement, and show how security and denial of service resilience can be considered in a common framework, with a particular focus on client puzzles. The model accommodates a variety of techniques for achieving denial of service resilience, and we describe one such technique by exhibiting a denial-of-serviceresilient secure authenticated key agreement protocol. Our approach addresses the correct integration of denial of service countermeasures with the key agreement protocol to prevent hijacking attacks that would otherwise render the countermeasures irrelevant.

1

Motivation

Reliable, fast, and secure communication is essential for commercial success on today’s Internet. Slow web pages could motivate clients to switch to an alternative business, leading to a loss in customer base for the service provider. However, maintaining sufficiently powerful servers can be an expensive venture. Servers have limited resources in terms of the amount of traffic that can be handled, the time required to establish a connection, and the number of active concurrent connections. This effectively bounds the number of connections a company’s server can honour in a given period in time. Malicious parties have recognized that they can benefit by depleting the limited resources of others’ servers. Denial of service attacks aim to disrupt, destroy, or render services unavailable. A typical denial of service attack exhausts the target’s resources. The server is rendered unavailable for honest clients, who then proceed to request similar services from competitors. To prevent malicious requests, a server needs to filter out bogus connection requests and honour those from legitimate clients. Recognizing legitimate clients is difficult. We will view C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 389–406, 2009. c Springer-Verlag Berlin Heidelberg 2009 

390

D. Stebila and B. Ustaoglu

a client as having legitimate intentions if it is willing to perform an expensive computation; it still could be malicious, but we may have no further way of distinguishing legitimate from malicious connections with a priori authentication. Security is an important aspect of online services. Many connections between a client and a server need to be secured against third parties; financial transactions are the most common case. Key agreement is used to produce a shared secret that can be used to encrypt subsequent communication. Key exchange involves computationally expensive algorithms, and hence may dominate server-side run time, limiting the number of clients serviced. This makes key agreement an enticing target for denial of service attacks since a malicious party can easily issue many key agreement requests. Hence, it is advantageous to try to reject as many bogus connections as possible during key agreement. In this paper we are concerned with deterring malicious parties from initiating denial of service attacks based on key agreement, without compromising on security. Practitioners and standardization bodies have recognized the importance of denial of service resilience, but researchers have been slow to respond with a formal treatment of the subject. In some sense, addressing denial of service resembles the initial approach to key agreement: rather than constructing an overall model, a list of ad hoc goals is selected and then it is shown that a protocol meets those goals. As a result, it is difficult to evaluate the strength and usefulness of denial of service countermeasures when integrated into protocols. Our Contributions. We give a formal definition of denial of service resilience for key agreement protocols in the context of the extended Canetti-Krawczyk (eCK) model for secure key agreement. Our definition for denial of service resilience is sufficiently strong that it prevents known attacks that arose against protocols once thought to be denial of service resilient. Puzzles have been previously used as a denial of service countermeasure, but in an ad hoc manner. Compared to previous work, our contribution models the careful integration of two orthogonal issues: key agreement security and denial of service resilience. It is well established that improper use of cryptographic algorithms can render them useless. For example, even the most secure password-based system is of no use if weak passwords are used. Similar reasoning applies for DoS countermeasures: even good solutions are useless if they are not used properly. For example, if a proof-of-work in the form of a puzzle solution does not indicate who is the intended recipient, when the solution was created, or who created the solution, then the door is open for misuse. Without careful integration into the overall protocol, DoS countermeasures may not achieve their goal. Additionally, we present the DoS-CMQV protocol which is a secure key agreement protocol and uses client puzzles to offer denial of service resilience in our model, showing how to achieve security and denial of service resilience together.

2

Previous Work

Key Agreement. Key agreement is an important cryptographic primitive used for building confidential channels. Designing and analyzing key agreement protocols

Towards Denial-of-Service-Resilient Key Agreement Protocols

391

is a non-trivial task. Formal models, which allow complexity-theoretic security arguments for authenticated key agreement, were first proposed by Bellare and Rogaway [1] and Blake-Wilson, Johnson, and Menezes [2]. The work of Canetti and Krawczyk [3] is one of the most influential extensions to the original models. Their work was later augmented by Krawzcyk [4] and LaMacchia, Lauter and Mityagin [5] to capture a wider range of desirable security properties; we refer to this as the extended Canetti-Krawczyk (eCK) model. In all of the above models the adversary controls all communication links. It is not immediately clear how denial of service can be considered alongside key establishment when the adversary may not deliver messages to destinations. However, even in this setting there are meaningful DoS-related goals that can be incorporated into the model; we discuss our extension in Sect. 3.1. Denial of Service. There are two main types of denial of service attacks (see [6, §1.6.6], for example): resource depletion attacks and connection depletion attacks. In resource depletion attacks a malicious party attempts to drain a server’s computational or memory resources. By contrast, connection depletion attacks aim to exhaust the number of allowed connections to the server. A DoS countermeasure can aim to defend against either or both of these types of attacks. Distributed denial of service (DDoS) attacks, in which many distributed client computers attack a single server, are of significant concern on the Internet today. These types of attacks are very difficult to defend against. One known technique, which we use in this paper, is to allow a server to adjust its denial of service countermeasure based on the load it experiences. Puzzle auctions [7] are one such implementation of tunable puzzles. Aura and Nikander [8] introduced the notion of stateless connections, in which stateful connections are transformed into stateless ones by attaching the state information to the message and using a message authentication code for integrity. This gives some protection against denial of service by saving the server from having to store session information until later in the exchange when more assurance is possible. Meadows [9] offered the first formal framework for denial-of-service-resilient protocols, based on the causal sequencing language of fail-stop protocols of Gong and Syverson [10]. To avoid connection depletion, Meadows suggests that each message be authenticated with increasingly complex levels of authentication. Meadows then applies this framework to the Station-to-Station protocol [11] to identify potential DoS attacks but does not provide a denial-of-service-resilient protocol. An application of Meadow’s cost-based framework to the JFK protocol revealed a potential DoS attack, and a solution to this problem was proposed using client puzzles [12]. This underscores the ability of formal models to reveal flaws and the need for the formalization of denial of service resilience. Cookies. One of the first techniques used to defend protocols against denial of service attacks was cookies. Introduced in the Photuris protocol (published in 1999 as [13] but introduced earlier), cookies are small authentication tokens returned by a server upon initial connection by the client. In order for the client to

392

D. Stebila and B. Ustaoglu

be allowed to continue with the connection, the client must echo the cookie back to the server. The server does not store the cookie, instead using the stateless connection technique to check the authenticity of the cookie which the client includes in subsequent messages. Cookies can be applied in Meadows’ framework as an early level of authentication. Krawczyk’s SIGMA protocol [14] was proposed as a successor of the Internet Key Exchange (IKE) protocol used in IPsec, and was adapted to have denial of service resilience in the form of cookies in its implementation in IKEv2 [15]. Cookies are also used in the Just Fast Keying protocol (JFK) proposed by Aiello et al. [16]. JFK allows the server to reuse its ephemeral private-public key pair across multiple sessions to reduce the server’s computational load, at the expense of increasing the potential damage should an ephemeral private key be leaked. Cookies are a valuable first-order denial of service countermeasure and have been used extensively as described above. However, they are a weak form of denial of service resilience because they do not require an attacker to do anything other than faithfully relay a previously received cookie. Protocols using cookies can also be susceptible to other types of attacks. Mao and Paterson [17, §2.2] described a denial of service attack against IKEv2. In ˆ can redirect their attack, a malicious party who controls a popular server M ˆ towards another target server M ˆ  , thereby effecting a legitimate traffic from M ˆ  . The attack only costs M ˆ bandwidth, not denial of service attack against M computation or memory, and is resilient to cookie-based DoS countermeasures. This attack is possible because there is no strong binding between the DoS countermeasure and the identity of the server to which the client wishes to connect: we codify this notion in our security criterion DoS-2 in Sect. 3. Despite key agreement and denial of service being orthogonal issues, combining them is no trivial task, as demonstrated by this attack. Puzzles. Dwork and Naor [18] introduced the notion of client puzzles to defend against denial of service attacks. A server under a denial of service attack can require clients to find the solution to a puzzle before the server allocates resources: the puzzle should be hard to solve but the solution should be easy to verify. Back [19] and Juels and Brainard [20] suggested using a hash function so that a client must perform a large number of operations to find the solution; this is a computation-bound puzzle. We build on their approach by specifying how puzzles should be integrated with key agreement. Puzzles where computing the solution is more dependent on memory access time, called memory-bound puzzles, have also been suggested for use [21]; these offer less varied running times across different hardware platforms because memory access times vary less than processor speed. Waters et al. [22] described how puzzles can be distributed across multiple servers for coordinated access. Aura, Nikander, and Leiwo [23] gave a framework for using hash function preimages as a denial of service in authentication protocols, and lay out the basic principle that “the client should always commit its resources to the authentication protocol first and the server should be able to verify the client commitment before allocating its own resources”. We use this principle to develop a model for

Towards Denial-of-Service-Resilient Key Agreement Protocols

393

denial-of-service-resilient key agreement. The technique of [23] is not sufficient to defend against the attack of Mao and Paterson [17]; our approach is. This principle of clients committing resources before the server does applies well to preemptive DoS countermeasures. The server obtains assurance that the client committed resources, but this is no guarantee that the client will complete the request. If a client does not finish a request then what should the actions of the server be? What should a server do if a client takes too long to respond after presenting its proof-of-work? Even though such open connections have important practical significance, preemptive measures do not completely cover the problem of open connections, such as the half-open connections of TCP SYN flood attacks [24]; a common countermeasure is to discard old uncompleted open connections.

3

Modelling Denial of Service Resilience and Security

We begin with an informal description of the goals of a denial-of-service-resilient protocol and then proceed to outline a formal model for integrating denial of service resilience and secure key agreement protocols. While the goals of denial of service resilience and secure key agreement are, as others such as Krawczyk [14, §2.3] have noted, orthogonal issues, it is useful to be able to discuss them in a common framework. We must be careful to integrate the two issues sufficiently well to avoid the types of attacks proposed by Mao and Paterson [17]. Denial of Service Resilience Intuition. We are concerned about the situation in which a malicious party on the network can cause a server to perform many expensive operations (and key agreement is one such expensive operation) for no good reason, eventually consuming all of the server’s available resources. But since the server is willing to place itself on the network for the use of all users, how can the server know if it is doing work for a good reason or not? Distinguishing legitimate requests from malicious requests is an essential element of denial of service resilience. While one can never be certain about the good intentions of another party on the network, it is plausible to believe that a client is making a legitimate request if the client is willing to commit some expensive resources – computation, memory, etc. – to the connection request. However, if a client does do something expensive to prove its good faith, then a good protocol should protect the client from being exploited by a malicious party aiming to steal the client’s work. Last but not least, a server should be able to adapt its procedures to resist being flooded by many “honest” requests that may be coordinated for maximum impact. These ideas lead us to the following five informal criteria for a denial-ofservice-resilient protocol: ˆ does not perform any expensive DoS-1. An uncompromised honest server B operations with a client unless it is convinced the client is trying to make a legitimate connection. ˆ does not perform any expensive operations unDoS-2. Moreover, a server B ˆ and not another less it is convinced that the client wants to talk to B ˆ server M .

394

D. Stebila and B. Ustaoglu

DoS-3. A client Aˆ who commits significant resources to prove its legitimate intentions cannot have her work stolen: the work that Aˆ does to convince ˆ that it wants to communicate legitimately with B ˆ cannot convince B anyone of anything else. DoS-4. A malicious party1 must use a very large amount of resources if it wishes to prepare sufficiently many connection requests and “flood” a server with many valid connection requests. DoS-5. A server can adjust the amount of work a client has to do in times of higher or lower load. In Sect. 3.1, we give a formal definition of denial of service resilience and describe in Sect. 3.2 how it achieves each of the goals DoS-1 through DoS-4; goal DoS-5 is a property of a particular countermeasure and not of the formal model. The first two goals aim to protect the server from performing unnecessary expensive operations. While what qualifies as an expensive operation can vary depending on the setting, we identify three main classes of expensive operations for the purposes of denial of service: memory denial of service attacks, in which the server is forced to perform slow, expensive memory reads or writes or use large amounts of memory; computational denial of service attacks, in which the server is forced to perform operations requiring significant computational time (such as exponentiation, elliptic curve point multiplication, or many simpler operations such as hash function or MAC evaluations); and transmission denial of service attacks, in which the server is forced to expend resources available to send and receive communications. In various situations, different notions of expensive can apply; for example, in mobile environments, transmitting and receiving take a lot of time and power. To achieve denial of service resilience, we require that a client answer a puzzle that takes significant computational or memory resources to solve, but is easy for a server to prepare and verify. The key idea is to tightly bind the puzzles with the identities of the parties involved to prevent attacks in which work can be stolen or redirected. This allows a server to be more convinced of a client’s legitimate intention to engage in a key agreement protocol. Secure Key Agreement Intuition. As noted in Sect. 2, secure key agreement has been extensively studied. The goal of an adversary in the eCK model is to learn any information about the session key established by a pair of uncompromised participants. If an adversary cannot distinguish such a session key from a randomly selected string with non-negligible probability, then the session key is viewed as secure and suitable for use in bulk encryption. The model is formally described in Sect. 3.1 and the definitions of security are given in Sect. 3.1. 3.1

Formal Model Description

Our model is based on the extended Canetti-Krawczyk (eCK) model proposed in [5]. However, instead of all exchanged messages we use a fingerprint of exchanged messages to identify session. 1

A malicious party can be a single entity or a collection of entities working together.

Towards Denial-of-Service-Resilient Key Agreement Protocols

395

ˆ B, ˆ . . .}, where a party A protocol takes place among n parties Parties = {A, is a probabilistic polynomial-time Turing machine. In addition to the certified and validated static key pair, each party also possesses static information that is not certified. If non-empty, the non-certified information may be either private or public. Parties are activated via incoming messages, which are then processed within the party. As a result a party either returns its outgoing response or indicates if the processing resulted in failure or success. Pre-session and Session Creation. An execution of the protocol is called a session. A party may receive an incoming request to initiate a session via a message ˆ B) ˆ or (ii) (A, ˆ B, ˆ “hello”). In the former case Aˆ is called the client or (i) (A, ˆ A, ˆ “hello”) desiginitiator, and reacts by creating a separate session request (B, ˆ In the latter case, Aˆ is called the server or responder, and creates nated for B. ˆ A, ˆ “hello”) designated for B. ˆ Server Aˆ selects a a separate session request (B, ˆ challenge ch and sends (B, ˆ A, ˆ “hello”, ch) to B. ˆ Within fresh (unique within A) a party the execution of the subroutines between the session request and either accepting or rejecting the request to initiate a session is called a pre-session. The model does not prevent a protocol from accepting multiple distinct responses to the same challenge. The motivation for the pre-session is to include the denial of service countermeasure in the pre-session and leave expensive operations and resources commitment by a server for the session. A session can only be reached after a successful pre-session: in other words, expensive resources will only be committed by the server once the denial of service countermeasure are passed. A party Aˆ can be activated to create a session with a message of the form ˆ B, ˆ “hello”, ch) or (ii) (A, ˆ B, ˆ ch, re). If the activation is of type (i) then A, ˆ (i) (A, who is the initiator, prepares re that passes all protocol conditions and creates ˆ the outgoing message an active session. The string re must be unique within A; ˆ A, ˆ ch, re). If the activation is of type (ii) then A, ˆ who is the responder in is (B, ˆ B, ˆ ch, re) satisfies the protocol requirements; if so a this case, verifies that (A, new active session is created, otherwise the message is ignored. If a responder Aˆ creates a new session, then the outgoing message is (Ψ, mesg), where mesg is prepared by Aˆ in accordance with the protocol and Ψ is the session string ˆ which is derived from identifier, a string used to identify sessions within Aˆ and B, (ch, re) and possibly other publicly known parameters. The conditions imposed ˆ on ch and re allow for the derivation of a string unique within both Aˆ and B. Session State. Upon creating a session, Aˆ also creates a separate session state that contains both private and public session-specific information. The private information is needed to derive a secret session key. The public information is ˆ B, ˆ Ψ, role, otherinfo), where B ˆ is the purported session peer ; role is either (A, “initiator” or “responder” and otherinfo is any other public information required ˆ B, ˆ Ψ] and Ψ by the protocol. Globally the session is identified via sid = [A, ˆ ˆ ˆ ˆ identifies the session within A. For sid = [A, B, Ψ] we call A the owner and ˆ are the communicating partners of sid. Sessions sid = [A, ˆ B, ˆ Ψ] together Aˆ and B ∗   ˆ ˆ ˆ ˆ ˆ ˆ and sid = [C, D, Ψ ] are matching if Ψ = Ψ , A = D, and C = B.

396

D. Stebila and B. Ustaoglu

As in the eCK model, Aˆ can be activated to update a session via a message of the form (Ψ, mesg). Upon receipt of such a message, Aˆ performs validation procedures similar to the eCK model and updates its state. At any stage a session is in exactly one of the following states: active, completed or aborted. Adversary. The adversary M is a probabilistic Turing machine that controls all communications and party activation via the query Send(·). Parties present M with their outgoing messages. Leakage of private information to M is modelled via the following adversary queries: ˆ M obtains A’s ˆ static private key. – StaticKeyReveal(A): – EphemeralKeyReveal(sid): M obtains the ephemeral private key of Aˆ in sesˆ B, ˆ Ψ]. sion sid = [A, – SessionKeyReveal(sid): If sid has completed then M obtains the session key in sid. ˆ , M ): M registers an adversary-controlled party M ˆ with static – Establish(M public key M ∈ G. If a party is not adversary-controlled it is said to be honest. ˆ M obtains the non-certified private information belonging to – DoSExpose(A): ˆ excluding the session-related ephemeral private keys. Parties an honest A, against which this query was issued are called DoS-exposed, otherwise they are called DoS-unexposed. The role of the new DoSExpose query in our model is to allow us to identify the parties which ought to still be resilient to denial of service attacks, namely those parties which are DoS-unexposed. For example, adversary-controlled parties are not relevant to the DoS portion of the protocol. Moreover, a separate DoSExpose query allows us to separate denial of service resilience from key agreement security: compromise of key agreement secrets can be an orthogonal issue to compromise of denial of service. Key Agreement Security Definitions. Security is defined via indistinguishability. At any time during the experiment M can make one special query, Test(sid), to a session sid that must remain fresh throughout the experiment. The goal of M is to guess whether the response to the query is sid’s key or a random key. Definition 1 (Fresh session). Let sid be the identifier of a completed session, ˆ who is also honest. Let sid∗ be the owned by an honest party Aˆ with peer B, identifier of the matching session of sid, if it exists. Then sid is fresh if none of the following conditions hold: 1. M issued SessionKeyReveal(sid) or SessionKeyReveal(sid∗ ) (if sid∗ exists). 2. sid∗ exists and M issued one of the following: either ˆ and EphemeralKeyReveal(sid), or (a) both StaticKeyReveal(A) ˆ and EphemeralKeyReveal(sid∗ ). (b) both StaticKeyReveal(B)

Towards Denial-of-Service-Resilient Key Agreement Protocols

397

3. sid∗ does not exist and M issued one of the following: either ˆ and EphemeralKeyReveal(sid), or (a) both StaticKeyReveal(A) ˆ (b) StaticKeyReveal(B). Definition 2 (Secure key agreement protocol). A key agreement protocol is secure if the following conditions hold: (i) two honest parties that complete matching sessions then, except with negligible probability they compute the same session key; and (ii) no polynomially bounded adversary M can distinguish the session key of a fresh session from a randomly chosen session key with probability greater than 12 plus a negligible fraction (in the security parameter). Denial of Service Definitions. In the protocol there is a test that the server performs on some of the messages received to determine if the client has done sufficient work to merit the server performing expensive operations. The client’s work, modelled by a puzzling relation, is used to define the protocol’s denial of service resilience. Definition 3 (Puzzling relation). Let Challenges and Responses be sets. A relation R ⊆ Parties × Parties × Challenges × Responses is a puzzling relation if ˆ B, ˆ ch, re) ∈ R is “easy”, and 1. deciding if (A, ˆ B, ˆ ch, and an oracle U that, on input (Aˆ , B ˆ  , ch ), returns re with 2. given A,  ˆ  , ch , re ) ∈ R, it is “hard” to produce re such that (A, ˆ B, ˆ ch, re) ∈ R (Aˆ , B ˆ B, ˆ ch). and re was not a response generated by the oracle U upon input (A, The notion of “expensive operation”, “easy”, and “hard” will depend on the application context. Although we have left these notion vague, they can be formalized, for example as a proof of work [25]. We omit this formalization as the focus of our work is on the integration of denial of service resilience techniques into key agreement protocols, not the construction of suitable puzzles. ˆ B, ˆ ch] is an acDefinition 4 (Acceptable pre-session). A pre-session [A, ˆ ˆ ceptable pre-session for B if B generated ch. Definition 5 (Denial-of-service-resilient protocol). Let R be a puzzling relation. A protocol Π is denial-of-service-resilient if the following hold for every ˆ DoS-unexposed server B: ˆ only performs expensive operations (a) in a session, or (b) for some (low 1. B frequency) periodic update of its non-certified private information ρ, and ˆ only establishes a session [B, ˆ A, ˆ ch, re] if the pre-session [A, ˆ B, ˆ ch] was an 2. B ˆ and (A, ˆ B, ˆ ch, re) ∈ R. acceptable pre-session for B Note that we have explicitly avoided merging Definitions 4 and 5 (as Definition 4 could be part of Condition 2 of Definition 5) because we acknowledge that there may be situations that require a different notion of acceptable pre-session, for example one-pass key agreement protocols where both ch and re are generated ˆ has an assurance that by the initiator. In particular, it appears to suffice that B ch was generated independently at random before re.

398

3.2

D. Stebila and B. Ustaoglu

Model Implications

In this section we explain how our formal model of denial of service resilience in Definition 5 satisfies the informal goals for denial of service resilience of Sect. 3. ˆ does not perform any expensive DoS-1. An uncompromised honest server B operations with a client unless it is convinced the client is trying to make a legitimate connection. ˆ does not perform any expensive By condition 1 of Definition 5, a server B operation with a client until it has established a session, and by condition 2 it will not establish a session until it received a response to its challenge that satisfies the puzzling relation. In order to satisfy the puzzling relation, the client must do a significant amount of work because of condition 2 of Definition 3; by doing this work, the client convinces the server that it is trying to make a legitimate connection. Moreover, since sessions are unique within a party, replay attacks of legitimate connection requests are prevented. ˆ does not perform any expensive operations unless DoS-2. Moreover, a server B ˆ and not another server M ˆ. it is convinced that the client wants to talk to B Condition 2 of Definition 3 allows us to meet this criterion: even if an adversary ˆ M ˆ , ch, re) ∈ R, the tuple (A, ˆ B, ˆ ch, re) is unlikely to be in R obtains any tuple (A, ˆ B, ˆ ch, re ) ∈ and moreover it remains hard to produce a response re such that (A, R. Since it is hard to create such a tuple given oracle access to R, then it is still hard to construct any tuple in R without oracle access. Our approach avoids the attack of Mao and Paterson [17] against IKEv2 in which an attacker can redirect traffic from her server towards other servers and can cause the receiving server to deplete its connection resources at low expense to the attacker. That attack is possible because there is no cryptographic binding between the denial of service countermeasure and the identities of the parties involved. By including the names of the client and server in the puzzling ˆ can be assured that whoever solved the puzzle intended to relation, a server B ˆ communicate with B. DoS-3. A client Aˆ who commits significant resources to prove its legitimate ˆ that intentions cannot have her work stolen: the work that Aˆ does to convince B ˆ it wants to communicate legitimately with B cannot convince anyone of anything else. ˆ is a DoS-unexposed server and suppose an honest client Aˆ starts a Suppose B ˆ B, ˆ ch], and then finds a value re such that (A, ˆ B, ˆ ch, re) ∈ R. The pre-session [A, client wishes that the response value should not be useful to anyone else trying ˆ work to establish a session; in other words, no one should be able to steal A’s and use it in another pre-session. ˆ  , ch ] is another pre-session. Given these values, it is hard to Suppose [Aˆ , B  ˆ  , ch , re ) ∈ R, even with help from another preproduce re such that (Aˆ , B ˆ ˆ session such as [A, B, ch], because R is a puzzling relation. The help given by the other pre-session can be modelled as one response of the oracle U in Definition 3

Towards Denial-of-Service-Resilient Key Agreement Protocols

399

for another pre-session, and this is of no help in a puzzling relation. Thus, an honest client’s work in solving a puzzle is of no use to anyone else responding to a different challenge, or with a different server, or with a different user name. ˆ entire response and then participates If the adversary M simply relays A’s ˆ in A’s place, the server will proceed with key agreement but this session will ultimately fail, since it is secure in the sense of Definition 2 key agreement ˆ protocols, and thus M cannot complete a session masquerading as A. DoS-4. A malicious party must use a very significant amount of resources if it wishes to prepare sufficiently many connection requests and “flood” a server with many valid connection requests. As noted in DoS-1, a server will only perform expensive operations if it has been convinced that the client is trying to make a legitimate connection, meaning the client has solved an instance of the puzzling relation, which is “hard” and requires a significant amount of resources. Suppose that for an attacker to start a session requires t steps of computation (e.g., t may be the number of cycles it takes to solve a computationally bound puzzling relation), and a server has enough computational resources to support n connections per second. Then, roughly speaking, an attacker’s computers must be able to perform tn steps of computation per second to sustainably render the server unavailable through a denial of service attack, which may require distributed resources. By registering many dishonest parties the above attack can be incorporated in our model. While not completely defending against such powerful distributed attacks, we can at least allow the amount of denial of service resilience to be tuned in the event of heavy traffic. On the other hand what our model assures is that the adversary cannot use honest parties to mount such distributed attacks. For example, a DoS-resilient protocol guards against the attack where the adversary registers ˆ , initiates pre-sessions between honest parties and a single malicious party M ˆ , and then forwards messages from the honest parties to create many sessions M at an honest server. That is, the model defends against Mao-Patterson type of attacks. Consider also the case of replay attacks, in which an attacker resends the same message many times to a server. Suppose in particular that an attacker replays a ˆ B, ˆ ch]. This set of values leads to the server response value re for a pre-session [A, ˆ ˆ session [B, A, ch, re], which already exists in the server. Since sessions identifiers are unique in the model, the server will not start a new session and hence commit no new resources as a result of this replay. This requires the server to store a table of session identifiers, but this does not result in a denial of service attack in theory since the server commits memory resources for the entries in the table only once the puzzling relation has been passed. To limit the size of the table, the server could change the non-certified information ρ periodically. When receiving a previous challenge and response, an entirely acceptable action would be for the server to respond to the replay with the same response it gave previously; this prevents puzzle stealing attacks where the adversary responds to a puzzle faster than a legitimate client. Now, if the attacker were to compute a different ˆ B, ˆ ch], then the server would commit response value re for the pre-session [A,

400

D. Stebila and B. Ustaoglu

new resources to the new session, but this is acceptable since the attacker solved the puzzling relation, just as a legitimate client must. Since in the Canetti-Krawczyk model we allow the adversary to control the delivery of messages, an adversary may choose not to deliver the final message from the client to the server and leave the server with an incomplete session (similar to the half-open connections of TCP SYN flood attacks [24]). Our model does not view this as a denial of service attack, because the server has been assured that the other party performed many expensive computations to create the connection. This type of attack can be mitigated, without affecting the security assurance nor preventive DoS countermeasures, by conventional server policies to deal with open connections that are not completed for a predefined period of time. Such countermeasures can be separately addressed once the server is assured about the correct connection between the proof of work, the client’s identity and the client’s intended recipient – exactly what our model provides.

4

A Secure DoS-Resilient Key Agreement Protocol

Our DoS-CMQV protocol, given in Fig. 1, is an adaptation of the CMQV [26] secure authenticated key agreement protocol. We use the problem of finding preimages for a random hash function as the expensive puzzle at the heart of the puzzling relation that a client needs to solve. The notation L[i] refers to the ith component in the tuple L. H0 and H1 are random hash functions [1] that return bit strings; all other hash functions return random integers between 1 and q, the order of the group G generated by g. We use x[1...w] to denote the first w bits of x. We note that in practice H1 should be chosen so as to be unique to the protocol so that puzzles cannot be outsourced to another protocol; for example, H1 (. . .) = SHA-256(“DoS-CMQV”, 1, . . .). 4.1

Security Analysis

Theorem 1. If H0 , H1 , . . . , H5 are random oracles [1], and G is a group where the Gap Diffie-Hellman (GDH) assumption [27] holds, then DoS-CMQV is a secure key agreement protocol. Argument. The DoS-CMQV security argument is similar to the argument presented for CMQV in [26]. We proceed to outline the argument. Verifying condition 1 of Definition 2 is straightforward. It remains to verify condition 2. In the model here parties possess additional (non-certified) private information ρ, which the adversary can obtain via DoSExpose query. For each of the events in the analysis of CMQV, the solver establishes and simulates the parties similar to the CMQV analysis. The main difference is that when parties are established the solver selects randomly the value ρ for each party. The DoSExpose queries are answered faithfully and they do not affect the freshness of the session. Since the new adversary query is not relevant to the security analysis of the events, the solver can transform the DoS-CMQV adversary to a GDH solver with similar success and running time as a CMQV adversary. Hence a polynomially bounded DoS-CMQV adversary contradicts the assumptions in the theorem.  

Towards Denial-of-Service-Resilient Key Agreement Protocols DoS-CMQV with security parameter λ ˆ Client A 0. g, a, A = g a , B ˆB ˆ “hello”,A, 1. −−−−−−→ 2. ch 3. store x ˜ ∈R {0, 1}λ ←−−−−−− x 4. x = H2 (˜ x, a), X = g 5. find  s.t. ˆ B, ˆ ch, X, )[1...20] = 0 . . . 0 H1 (A, 6. re = (X, ), Ψ = (ch, re) ˆ A,ch,re ˆ B, ˆ Ψ] 7. establish session [A, −−−−−−→ 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

401

ˆ Server B g, b, B = g b , A, ρ ∈R {0, 1}λ i ∈R {0, 1}λ ˆ B, ˆ i) j = H0 (ρ, A, ch = (i, j)

ˆ B, ˆ ch[1]) verify ch[2] = H0 (ρ, A, ˆ B, ˆ ch, re)[1...20] = 0 . . . 0 verify H1 (A, ˆ A, ˆ ch, re] establish unique session [B, ˆ store A, Ψ = (ch, re) X = re[1] verify X ∈ G y˜ ∈R {0, 1}λ , y = H2 (˜ y , b) store Y = g y ˆ B), ˆ e = H3 (Y, A, ˆ B) ˆ d = H3 (X, A,

σ = (XAd )y+eb store M1 = H4 (“server finished”, ˆ B, ˆ ch, re, Y, σ) A, store M2 = H4 (“client finished”, ˆ B, ˆ ch, re, Y, σ) A, Ψ,Y,M1 ˆ ˆ ←−−−−−− store K = H5 (A, B, ch, re, Y, σ)

verify Y ∈ G ˆ B), ˆ e = H3 (Y, A, ˆ B) ˆ d = H3 (X, A, σ = (Y B e )x+da verify M1 M2 = H5 (“client finished”, ˆ B, ˆ ch, re, Y, σ) A, Ψ,M ˆ ˆ 24. K = H5 (A, B, ch, re, Y, σ) −−−−−2−→ verify M2 19. 20. 21. 22. 23.

Fig. 1. DoS-CMQV: A denial-of-service-resilient adaptation of the CMQV protocol

4.2

Denial of Service Resilience Analysis

In this section we show that the DoS-CMQV protocol given in Fig. 1 is denial-ofservice-resilient according to Definition 5. Since this definition (and the related definition of a puzzling relation) includes the intentionally vague terms “expensive operation”, “easy”, and “hard”, we need to define what these terms mean for a concrete instantiation of the definition. For our purposes, an expensive operation is one of the following operations: storing a per-connection or per-session value in memory (other than a long-term value), performing a group exponentiation, or making a large number of calls (say, more than 210 ) to a hash oracle. We first establish, via the following lemma, that the relation used in the DoSCMQV protocol is a puzzling relation and then show that our protocol is resilient to denial of service attacks

402

D. Stebila and B. Ustaoglu

ˆ B, ˆ ch, re) ∈ R if and only Lemma 1. Let R be the relation defined such that (A, ˆ ˆ if H1 (A, B, ch, re)[1...20] = 0 . . . 0, where H1 is a random hash function. Then R is a puzzling relation, where “hard” means requiring approximately 220 hash function queries on average, and “easy” is something that is not an “expensive operation” as defined above. Argument. Deciding membership in R is easy for a particular tuple because it involves only a single call to H1 . ˆ B, ˆ and a random ch, producing a value re such that Moreover, given A, ˆ B, ˆ ch, re)[1...20] = 0 . . . 0 is hard and requires approximately 220 hash oracle H1 (A, queries on average. To find such an re requires finding a preimage for the random hash function. The oracle U helps us find other preimages of H1 . Our task, then ˆ B, ˆ ch. But since H1 is a is to find a preimage of the correct format involving A, random hash function, other outputs do not help in finding a preimage for this input. Since H1 is a random hash function outputting 20 bits, this is a hard task that requires approximately 220 queries on average. This hash puzzle is similar to the partial inversion proof of work (PIPOW) problem of Jakobsson and Juels [25, §3.1]. By their Claim 1, we know that any prover Aˆ with memory bounded by m who performs on average at most ˆ B, ˆ ch) can find a response re such that w steps of computation and is given (A, ˆ ˆ (A, B, ch, re) ∈ R with probability at most p + o(m/220 ) where p = 1/(220 − w). Theorem 2. The DoS-CMQV protocol is a denial-of-service-resilient protocol, where “easy”, “hard”, and “expensive operation” are defined as above. Argument. By the Lemma above, R is a puzzling relation. ˆ B, ˆ ch] be a pre-session. According to the protocol, B ˆ does not perform Let [A, any expensive operation until line 10, which is not reached unless the server’s checks on lines 7 and 8 are passed and a new session is established on line 9. ˆ B, ˆ ch, re[1], re[2])[1...20] = If the check on line 8 is passed, namely if H1 (A, ˆ B, ˆ ch, re) ∈ R. If the check on line 7 is passed, namely if ch[2] = 0 . . . 0, then (A, ˆ ˆ H0 (ρ, A, B, ch[1]), then, except with negligible probability, ch[2] was generated ˆ is a DoS-unexposed party, only be someone who knew both ρ and ch[1]. Since B ˆ no DoSExpose(B) query could have been issued and since ρ is only ever used as ˆ knows ρ. Thus, [A, ˆ B, ˆ ch] is an acceptable an input to a random oracle, only B pre-session. ˆ establishes a session only if the corresponding pre-session is acceptHence, B able and the tuple is in the puzzling relation. Note that since sessions must be unique within a party, the server only performs these expensive operations once per session. Thus, DoS-CMQV is a denial-of-service-resilient protocol. Tuning the Puzzling Relation. The puzzle used in DoS-CMQV can be tuned by the server based on its load. The client must find a hash function preimage; for concreteness, we have specified that the first 20 bits should be zeros, but the length could be a parameter w set by the server depending on its current load.

Towards Denial-of-Service-Resilient Key Agreement Protocols

403

The server would need to include w in the computation of j on line 2, return w as part of ch on line 3, and include w in the check on line 7 to avoid spoofing. In practice, H1 could be implemented by using a standard cryptographic hash function, such as SHA-1, and truncating the output to the first w bits. In times of light load, the server could require that clients truncate only to the first 5 or 10 bits of output, but in heavier load could require that clients truncate to 20 or 25 bits of output to make the cost of mounting a denial of service attack higher. It takes just under 3 seconds to perform 220 SHA-1 evaluations on one core of our 2 GHz Intel Core 2 Duo processor using OpenSSL 0.9.7. This may be an acceptable computational burden for the client in many scenarios.

5

Other Denial of Service Constructions

Memory-Bound Puzzling Relations. While the protocol given in Sect. 4 uses a puzzling relation based on finding preimages in a hash function, other types of puzzling relations can be used, demonstrating the flexibility of our framework. Abadi et al. [21], for example, described puzzles in which memory access time provides an expected lower bound on the time it takes to solve the puzzle, removing disparities in processor speed between large computers and small devices. However, care must be taken in choosing parameters for memory-bound puzzles: the cost incurred by a server in setting up one of these memory-bound puzzles, while much less expensive than the cost incurred by a client solving the puzzle, can still be significant. For the memory-bound puzzles of [21], it took a 2.4 GHz Pentium 4 server approximately 2−7 seconds to create a puzzle that takes approximately 22 seconds to solve. By comparison, the time to do one 1024-bit modular exponentiation on a computer of similar speed is less: only 2−9 seconds. JFKi. In the JFKi protocol of [16, §2.3], the denial of service resilience goal for the server is to avoid expensive operations unless the client performs resourceheavy operations, namely group exponentiations. There are two main ideas used: reuse of ephemeral public keys and use of a keyed hash function. The purpose of reusing ephemeral public keys is to distribute the cost of an expensive operation across multiple sessions. This allows the authors to argue the client must perform her share of the work first, in terms of bearing the cost of establishing a round communication trip. The keyed hash function is used by the server to verify that the client indeed executed the round. Note that the server does not need to dedicate any resources to verify the challenge was created by the server. This can be viewed as the pre-session stage of the protocol since the goal of the first round trip is to filter out bogus connections. JFKi can be described in our model of denial of service resilience, but with weak definitions of “hard” in the puzzling relation. In the implied puzzling relation in JFKi, the client must echo back to the server all the received values and the preimage of the client’s nonce. If the puzzling relation test passes, then the server establishes a new session and computes the shared Diffie-Hellman key. The problem with JFKi’s puzzling relation is that there is no binding between the client’s ephemeral public key and the solution to the puzzling relation. A

404

D. Stebila and B. Ustaoglu

dishonest client can use the same solution to the puzzling relation with different ephemeral public keys (and it can generate these ephemeral public keys very cheaply, for example, by generating g i , g · g i = g i+1 , g · g i+1 = g i+2 , . . .) to cause the server to perform many exponentiations with little cost to the client. Thus, given the JFKi puzzling relation and a single solution to the puzzling relation, generating more solutions is easy, contradicting Condition 2 of Definition 3. Hence, JFKi does not satisfy informal goal DoS-4: the protocol is not resilient to flooding attacks. DoS-CMQV avoids this problem: producing a solution to the puzzling relation means finding a preimage in the hash function and the values cannot be repeated if the server is to establish a new session. One approach to fixing the denial of service resilience of JFKi was given by Smith et al. [12]. They note that JFKi is not denial-of-service-resilient when analyzed under Meadows’ framework [9]. They use a hash function preimage puzzle as well to bind the puzzle solution to the key exchange session at hand. There construction still preserves a fundamental design characteristic of JFKi: the responder must reuse its ephemeral private key in order to achieve denial of service resilience, preventing full freshness in the Canetti-Krawczyk model. Host Identity Protocol. The Host Identity Protocol (HIP) [28] was designed to offer protection against denial of service attacks. HIP (in [28, §4.1.1]) uses a similar puzzling relation to that of Sect. 4: the client must find a preimage in SHA-1 such that the k lowest-order bits of the output are zero. HIP includes the identities of the initiator and responder in the hash function computation as we have done. Our model provides a theoretical interpretation of the security of HIP against denial of service attacks and the value of including the client and server identities in the hash function computation.

6

Conclusion and Open Problems

We have given the first formal definition of denial of service resilience for secure key agreement protocols. Our model uses puzzles solved by the client as an indication of interest in a legitimate connection, and a variety of puzzles, both memory-bound and computation-bound, can be used. We described a protocol, DoS-CMQV, that provides resilience to denial of service attacks and offers secure key agreement. Additionally, we analyzed the existing JFKi and HIP protocols to compare their notions of denial of service resilience. Denial of service resistance countermeasures often depend on the freshness of challenges. Our model could be extended to explicitly consider the update of puzzle freshness and how past puzzles affect current denial of service resilience. This new framework for analyzing denial of service resilience can be applied in conjunction with other goals for key agreement protocols. For example, the JFK protocols [16] aim to offer privacy features: JFKi protects the initiator’s identity and JFKr protects the responder’s identity. Future work could involve designing denial-of-service-resilient protocols with similar privacy measures. This model can also be applied to give denial of service resilience to other types of key agreement protocols, for example password-authenticated key agreement

Towards Denial-of-Service-Resilient Key Agreement Protocols

405

protocols. Adapting this technique for use in IPsec or TLS would provide denial of service resilience in important Internet protocols. Acknowledgements. This work was performed while the authors were at the University of Waterloo. D.S. was supported by an NSERC Canada Graduate Scholarship. The authors are grateful for the helpful advice of Alfred Menezes and Ian Goldberg.

References 1. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) 2. Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997) 3. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) 4. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) 5. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) 6. Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003) 7. Wang, X., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: Proc. 2003 IEEE Symposium on Security and Privacy (SP 2003), pp. 78–92. IEEE Press, Los Alamitos (2003) 8. Aura, T., Nikander, P.: Stateless connections. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 87–97. Springer, Heidelberg (1997) 9. Meadows, C.: A formal framework and evaluation method for network denial of service. In: Proc. 1999 IEEE Computer Security Foundations Workshop (CSFW), vol. 4, IEEE Computer Society Press, Los Alamitos (1999) 10. Gong, L., Syverson, P.: Fail-stop protocols: An approach to designing secure protocols. In: Proceedings of the 5th IFIP Working Conference on Dependable Computing for Critical Applications (DCCA-5), pp. 44–55 (September 1995) 11. Diffie, W., van Oorschot, P., Wiener, M.J.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2(2), 107–125 (1992) 12. Smith, J., Gonzalez-Nieto, J., Boyd, C.: Modelling denial of service attacks on JFK with Meadows’s cost-based framework. In: Buyya, R., Ma, T., Safavi-Naini, R., Steketee, C., Susilo, W. (eds.) Proc. 4th Australasian Information Security Workshop – Network Security (AISW-NetSec) 2006. CRPIT, vol. 54, pp. 125–134. Australian Computer Society (2006) 13. Karn, P., Simpson, W.A.: Photuris: Session-key management protocol, RFC 2522 (March 1999)

406

D. Stebila and B. Ustaoglu

14. Krawczyk, H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated DiffieHellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003) 15. Kaufman, C.: Internet Key Exchange (IKEv2) protocol, RFC 4306 (December 2005) 16. Aiello, W., Bellovin, S.M., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A.D., Reingold, O.: Just Fast Keying: Key agreement in a hostile Internet. ACM Transactions on Information and System Security 7(2), 1–30 (2004) 17. Mao, W., Paterson, K.G.: On the plausible deniability feature of Internet protocols (manuscript, 2002) 18. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993) 19. Back, A.: A partial hash collision based postage scheme (1997), http://www.hashcash.org/papers/announce.txt 20. Juels, A., Brainard, J.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In: Proc. Internet Society Network and Distributed System Security Symposium (NDSS), pp. 151–165. Internet Society (1999) 21. Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately hard, memorybound functions. In: Proc. Internet Society Network and Distributed System Security Symposium (NDSS 2003). Internet Society (2003) 22. Waters, B., Juels, A., Halderman, J.A., Felten, E.W.: New client puzzle outsourcing techniques for DoS resistance. In: Proc. 11th ACM Conference on Computer and Communications Security (CCS), pp. 246–256. ACM, New York (2004) 23. Aura, T., Nikander, P., Leiwo, J.: DOS-resistant authentication with client puzzles. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 170–177. Springer, Heidelberg (2001) 24. Eddy, W.M.: TCP SYN flooding attacks and common mitigations, RFC 4987 (August 2007) 25. Jakobsson, M., Juels, A.: Proofs of work and bread pudding protocols. In: Preneel, B. (ed.) Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security. IFIP Conference Proceedings, vol. 152, pp. 258–272. Kluwer Academic Publishers, Dordrecht (1999) 26. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008) 27. Okamoto, T., Pointcheval, D.: The gap-problems: A new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001) 28. Moskowitz, R., Nikander, P., Jokela, P., Henderson, T.R.: Host Identity Protocol, Internet-Draft (February 2004)

A Commitment-Consistent Proof of a Shuffle Douglas Wikstr¨om CSC KTH Stockholm, Sweden [email protected]

Abstract. We introduce a pre-computation technique that drastically reduces the online computational complexity of mix-nets based on homomorphic cryptosystems. More precisely, we show that there is a permutation commitment scheme that allows a mix-server to: (1) commit to a permutation and efficiently prove knowledge of doing so correctly in the offline phase, and (2) shuffle its input and give an extremely efficient commitment-consistent proof of a shuffle in the online phase. We prove our result for a general class of shuffle maps that generalize all known types of shuffles, and even allows shuffling ciphertexts of different cryptosystems in parallel.

1

Introduction

Consider a situation where N senders S1 , . . . , SN each have some input and wish to compute the sorted list of their inputs without revealing who submitted which message. A trusted party can do this by waiting until all senders have submitted some input, and then sort and output the list of all inputs. A protocol that emulates the trusted party is called a mix-net and the parties M1 , . . . , Mk that execute the protocol are referred to as mix-servers. As long as a certain fraction of the mix-servers are honest, the result should be correct and nobody should learn the correspondence between input ciphertexts and output messages. The obvious application for mix-nets is to conduct electronic elections, and this is also one of the applications Chaum [6] had in mind when he introduced mix-nets. Many constructions of mix-nets are proposed in the literature, but few have provable security properties and many are actually flawed. The basic approach of all mix-nets with provable properties are based on ideas of Sako and Kilian [23]. The first rigorous definition of security was given by Abe and Imai [1], but they did not construct a scheme satisfying their construction. Wikstr¨ om [25] gives the first definition of a universally composable (UC) mix-net, the first UC-secure construction, and also a more efficient UC-secure scheme [26]. An important building block in the construction of a mix-net is a so called proof of a shuffle that allows the mix-servers to prove that they follow the protocol. The first efficient proofs of shuffles were given by Neff [18] and Furukawa and Sako [13]. C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 407–421, 2009. c Springer-Verlag Berlin Heidelberg 2009 

408

1.1

D. Wikstr¨ om

Mix-Nets Based on Homomorphic Cryptosystems

Recall the mix-net of Sako and Kilian [23]. They present their scheme in terms of the El Gamal cryptosystem [14], but the idea works for any homomorphic cryptosystem. A homomorphic cryptosystem CS = (Kg, E, D) that allows threshold decryption is employed. A cryptosystem is said to be homomorphic if for every public key pk ∈ PK, the plaintext space Mpk , the randomness space Rpk , and the ciphertext space Cpk are groups, and for every m0 , m1 ∈ Mpk and r0 , r1 ∈ Mpk : Epk (m0 , r0 )Epk (m1 , r1 ) = Epk (m0 m1 , r0 r1 ). A joint public key pk is generated somehow such that each mix-server holds a secret share of the corresponding secret key sk . Each sender Si , holding a message mi , computes a ciphertext c0,i = Epk (mi ), and then somehow submits it to the mix-servers. The mix-servers then take turns at re-encrypting and permuting these ciphertexts. Let L0 = (c0,1 , . . . , c0,N ) be the list of submitted ciphertexts. For j = 1, . . . , k, Mj chooses a permutation π and rj,i ∈ Rpk randomly, computes cj,i = cj−1,π(i) Epk (1, rj,π(i) ) for i = 1, . . . , N , and then publishes Lj = (cj,1 , . . . , cj,N ). In other words, each mixserver randomly re-encrypts each ciphertext and then outputs the resulting ciphertexts in random order. Then it proves, using a proof of a shuffle, that it formed Lj from Lj−1 in this way. Finally, the mix-servers jointly threshold-decrypt Lk and output the resulting list of plaintexts. The idea is that since all mix-servers have randomly permuted the ciphertexts and the cryptosystem is assumed secure, it is infeasible to tell which plaintext corresponds to which original ciphertext in L0 . The above description is simplified in that the senders submit homomorphic ciphertexts directly, which is not secure [22]. In a provably secure construction, the plaintexts of corrupted senders must be extractable by the simulator without the secret key of the cryptosystem. Until recently, all known submission schemes were either only heuristically secure, or involved costly interaction, but there is now a provably secure solution to this problem for several well known homomorphic cryptosystems [27]. Alternative Constructions. In the scheme of Furukawa et al. [12], each mix-server not only re-encrypts and permutes its input, but also partially decrypts it. As a result, the final list Lk essentially contains the plaintexts and no joint decryption step is needed. In the scheme of Wikstr¨ om [26], re-encryption is also eliminated entirely, i.e., each mix-server only partially decrypts and permutes its input. In a preliminary unpublished version of Neff [18] a proof of a shuffle for the first type of mix-net is described as well [19]. These schemes have special advantages over the above, but do not lend themselves well to pre-computation, since partial decryption must be done sequentially. Very few other approaches to constructing mix-nets have any provable security properties [16] and several are actually flawed [1,9,24]. 1.2

Previous Work On Improving Efficiency

There are more or less obvious techniques that can be used to reduce the computational complexity of a mix-net. If a threshold below k is used for the decryption

A Commitment-Consistent Proof of a Shuffle

409

key, then all mix-servers do not need to take part in the mixing process. In the execution of a public-coin honest verifier proof of knowledge the random challenge of the honest verifier must be generated jointly by the mix-servers, which is costly. But if unpredictability suffices, then longer challenges can be extracted from a random seed using a PRG. Pre-computation can also be used in the coin-flipping protocols. The re-encryption factors can also be pre-computed and batch proof techniques [4] can be used to reduce the complexity of the proofs of correctness needed during joint decryption. If such optimizations and pre-computations are used, the main computational cost lies in the proofs of shuffles. Thus, most previous work on reducing the complexity, e.g. [12,13,18,15,26], focus on reducing the complexity of a particular proof of a shuffle. Some parts of these proofs can easily be pre-computed as well. An alternative approach is used by Adida and Wikstr¨ om [3], who show that when the number of senders is relatively small, ideas from homomorphic election schemes [5] can be used to construct a mix-net where the online phase only requires decryption of a single ciphertext. The public-key obfuscated shuffle of Adida and Wikstr¨ om [2] may also be viewed as a form of pre-computation, but their goal is not improved efficiency. In fact, their scheme is quite inefficient. 1.3

Our Contribution

We show how to split a proof of a shuffle into two protocols. The first protocol is used by a mix-server in the offline phase to prove knowledge of how to open a commitment to a permutation. The second protocol is used by a mix-server in the online phase to prove that it uses the permutation it committed to also during shuffling. The first protocol is almost as efficient as the known proofs of shuffles; in fact it can be constructed from these, e.g., [13,15,18,26]. Even without any standard optimization techniques such as simultaneous exponentiations, the computational complexity of the second protocol is half an exponentiation per sender in the El Gamal case and has similar properties for other cryptosystems. Thus, our precomputation technique reduces the online computational complexity of virtually all mix-nets. We also show that all known types of shuffles are instances of a generalized shuffle, where some homomorphic map φpk : Cpk × Rpk → Cpk is applied to each ciphertext and randomizer pair, and the resulting ciphertexts are permuted. In fact, we prove our results for this generalized shuffle. The generality of our result immediately gives that ciphertexts can be shuffled in parallel. Even ciphertexts of different cryptosystems can be shuffled in parallel, and distinct homomorphic maps can be used for ciphertexts of different cryptosystems. The inspiration of this work comes from both Neff [18] and Furukawa and Sako [13]. Neff writes as follows about his “simple shuffle”: “A single instance of this proof can be constructed to essentially ‘commit’ a particular permutation”, but we are unable to derive our results starting from his “commitment”. On the other hand, the Pedersen permutation commitment scheme used implicitly in the proof of a shuffle of Furukawa and Sako is perfectly suitable for constructing a fast commitment-consistent proof of a shuffle.

410

1.4

D. Wikstr¨ om

Notation

Natural numbers and integers are denoted by N and Z respectively. The ring of integers modulo n is denoted by Zn , Z∗n denotes its multiplicative group, and SQ n denotes the subgroup of squares in Z∗n . We use κ as the main security parameter, but also introduce several related parameters, e.g., the bit-size of challenges κc . We identify the set of κ-bit strings and the set of positive integers in [0, 2κ − 1] when convenient. A function (κ) is negligible if for every constant c and sufficiently large κ it holds that (κ) < κ−c . A function f (κ) is overwhelming if 1 − f (κ) is negligible. We denote the set of N -permutations by SN . The Discrete Logarithm (DL) assumption for a group Gq with generator g states that given a random element y ∈ Gq , it is infeasible to compute x such that y = g x . The decision Diffie-Hellman (DDH) assumption states that when x, y, r ∈ Zq are randomly chosen, then it is infeasible to distinguish the distributions of (g x , g y , g xy ) and (g x , g y , g r ). See full version for formal definitions. We view a commitment scheme as consisting of a parameter generation algorithm Gen and a deterministic commitment algorithm Com. On input 1κ , Gen outputs a parameter ck which defines a message set Mck , a polynomially sampleable randomness space Rck , and a commitment space Kck . We write CK for the set of commitment parameters. On input ck ∈ CK, m ∈ Mck , and r ∈ Rck , Com outputs a commitment. To open a commitment the message and randomness is revealed. We write CS = (Kg, E, D) for a homomorphic cryptosystem and Mpk , Rpk , and Cpk for the abealian groups of messages, randomness, and ciphertexts defined by a public key pk . We let PK denote the set of all public keys. A homomorphic cryptosystem satisfies Epk (m1 , r1 )Epk (m2 , r2 ) = Epk (m1 m2 , r1 r2 ) for every pk ∈ PK, m1 , m2 ∈ Mpk , and r1 , r2 ∈ Rpk . We denote the set {1, . . . , l} by [l] and sometimes denote a list of elements (a1 , . . . , al ) by a[l] . Throughout we assume that the order of the largest cyclic subgroup of Cpk , and the order of any groups on which we base our commitment schemes, are bounded by 2κ .

2

Background and Informal Description

Before we give details, it is worthwhile to recall some properties of batch proofs of discrete logarithms and proofs of shuffles. We also give a brief informal description of our commitment-consistent proof of a shuffle. Batch Proofs. Consider a setting where many group elements y1 , . . . , yN in some prime order group Gp with generator g are given, and the prover knows xi ∈ Zp such that yi = gixi . It is expensive to prove knowledge of each logarithm xi independently, but the use of batching [4] decreases this cost substantially as the following example shows. 1. Verifier picks e1 , . . . , eN ∈ Zp randomly and hands them to prover. N 2. Both parties compute y = i=1 yiei .

A Commitment-Consistent Proof of a Shuffle

411

3. Prover shows that it knows the logarithm w such that y = g w using a standard honest verifier zero-knowledge proof of knowledge. The reason that this is a proof of knowledge is that the extractor may rewind the prover to the first step several times until it has found N linearly independent vectors ej = (ej,1 , . . . , ej,N ) in ZN for j = 1, . . . , N and extracted logarithms N ej,i p wj w1 , . . . , wN such that i=1 yi = g . Note that linear independence imply that  for every l = 1, . . . , N there are dl,j such that N j=1 dl,j ej is the lth standard unit vector in ZN . This gives p N N N e dl,j N d yl = yi j,i = (g wj ) j,i = g j=1 dl,j wj , j=1

i=1

j=1

which means N that the logarithm of every individual element yl can be computed as xl = j=1 dl,j wj . We remark that the components of the vectors can be chosen randomly in {0, 1}κe for a κe much smaller than κ. From now on we use κe to denote the bit-size of components of random vectors as the above. Another important observation, used to reduce the need for jointly generated randomness when the honest verifier is implemented jointly by several parties, is that it suffices that the vectors are unpredictable, e.g., the verifier may instead choose a random seed z for a PRG, hand it to the prover, and define (e1 , . . . , eN ) = PRG(z). Proofs of Shuffles. Due to space restrictions, we can not go into the details of any particular proof of a shuffle, but we can explain one of the ideas that appear in different forms in all known efficient schemes. Consider a homomorphic cryptosystem such that the order of every non-trivial element in Cpk equals a prime p. Given are a public key pk and ciphertexts (c1 , . . . , cN ) and (c1 , . . . , cN ) that are related by ci = cπ(i) Epk (1, rπ(i) ) for some permutation π and randomness r1 , . . . , rN . A key observation, first made by Neff [18] and Furukawa and Sako [13], is that batch proofs are in some sense invariant under permutation and that this means that we can use batch techniques to construct an efficient proof of a shuffle. The idea can be described as follows, where we use a PRG to expand a seed into an unpredictable vector. 1. V picks a seed z ∈ {0, 1}κ randomly and hands it to P. N 2. Both parties compute c = i=1 cei i , where (e1 , . . . , eN ) = PRG(z) and ei ∈ [0, 2κe − 1]. N 3. P computes c = i=1 (ci )eπ(i) , hands it to V, and convinces V that it is formed correctly. 4. P proves knowledge of r ∈ Rpk such that c = cEpk (1, r). Note that the linear independence argument used in the basic batch proof above carries over to the shuffle setting, despite that some of the exponents are permuted (see Proposition 3 in full version for details). The above description is simplified in that the prover must blind c to avoid leaking knowledge. The

412

D. Wikstr¨ om

problem of convincing the verifier that the original exponents, re-ordered using a fixed permutation π, are used to form c is non-trivial, and solved differently in the various proofs of shuffles. If we ignore the cost of Step 3, then the above protocol is very efficient. 2.1

Commitment-Consistent Proofs of Shuffles

We observe that we can design Step 3 in such a way that almost all of it can be moved to the offline phase. Generators g1 , . . . , gN of a group Gp of prime order p are given as part of the setup of the proof of a shuffle, and it is assumed to be infeasible to compute any non-trivial relations among these (this follows from the DL assumption). Suppose that each mix-server commits to a permutation π using Pedersen commitments [21] (a1 , . . . , aN ) = (g r1 gπ−1 (1) , . . . , g rN gπ−1 (N ) ) for random r1 , . . . , rN ∈ Zp , and also proves knowledge of the ri and π such that (a1 , . . . , aN ) was formed in this way. Then in the online phase the verifier can choose, and hand to the prover, a random seed z ∈ {0, 1}κ, set (e1 , . . . , eN ) = PRG(z), and compute a=

N i=1

aei i =

N i=1

g ri ei gπei−1 (i) = g r

N

e g π(i) i=1 i

,

N where r = i=1 ri ei . Note that a is of a perfect form for executing a standard proof of knowledge of equal exponents. More precisely, we may now replace Step 3 above in the online phase by: N – Prover computes c = i=1 (ci )eπ(i) and hands it to the verifier. – Prover proves knowledge of r ∈ Zp and e1 , . . . , eN ∈ {0, 1}κe with a = gr



N i=1

e

gi i

and c =

N i=1



(ci )ei .

The above is simplified in that some blinding factors are missing. The proof of knowledge of the exponents r , e1 , . . . , eN , combined with the computational binding property of multi-base Pedersen commitments implies that ei = eπ(i) for some permutation π(i). The computational complexity of the above protocol is very low, since almost all exponents have very few bits also in the proof of knowledge of equal exponents.

3

A Commitment-Consistent Proof of a Shuffle

In this section we first give more details of the commitment scheme and explain how any of the known proofs of shuffles can be used to prove knowledge of an opening of the commitment to a permutation. Then we present the commitmentconsistent proof of a shuffle.

A Commitment-Consistent Proof of a Shuffle

3.1

413

Permutation Commitments

We formalize the property we need from the Pedersen commitments above. A permutation commitment should allow the committer to compute a commitment Com (π) of a permutation π, but obviously any string commitment can be used to commit to a permutation. The special property of a permutation commitment is that if the receiver holds a list (e1 , . . . , eN ), it can transform the permutation commitment into a commitment Come (eπ(1) , . . . , eπ(N ) ), of another type, of the the list elements, but in order defined by π. Here κcom denotes the maximal bit size of each component of a list commitment. Definition 1. Let (Gen , Com ) be a commitment scheme for SN and let (Gene , Come ) be a commitment scheme for [0, 2κcom − 1]N . The former is a κcom permutation commitment scheme of the latter if Gen = Gene and there exist deterministic polynomial time algorithms Map and Rand s.t. for every ck ∈ CK, r ∈ Rck , π ∈ SN and e = (e1 , . . . , eN ) ∈ [0, 2κcom − 1]N Mapck (Comck (π, r ), e) = Comeck ((eπ(1) , . . . , eπ(N ) ), Rand(r , e)) . Construction 1 (Pedersen Commitment). The generation algorithm Gen outputs random generators g1 , . . . , gN ∈ Gq , where Gq is a cyclic group of t known order q = i=1 pi with pi ≥ 2κcom . On input π ∈ SN and r1 , . . . , rN ∈ Zq , the commitment algorithm Com computes ai = g ri gπ−1 (i) , and outputs (a1 , . . . , aN ). The parameter algorithm Gene is identical to Gen . On input (e1 , . . . , eN ) ∈ [0, 2κcom − 1]N and r ∈ Zq , the algorithm Come computes N a = g r i=1 giei , and outputs a. The idea of using (generalized) Pedersen commitments [21] to commit to permutations is not novel, e.g., it is used implicitly in [13], but the observation that a commitment of the first kind can be transformed into a commitment of the second kind seems new. Proposition 1. Both (Gen , Com ) and (Gene , Come ) of Construction 1 are perfectly hiding and computationally binding under the DL assumption. The former is a permutation commitment of the latter. The proof of the binding property is well known for prime order groups. A proof is given in the full version. We will later make use of the following relation that corresponds to breaking a commitment scheme, i.e., finding two different ways to open a commitment.   twin Definition 2. The relation Rck consists of all pairs ck , (s[l] , s0 , s[l] , s0 ) such that s[l]  = s[l] and Comeck (s[l] , s0 ) = Comeck (s[l] , s0 ). Suppose a committer produces a permutation commitment a and the verifier computes a = Mapck (a , (e1 , . . . , eN )). Then we expect that the committer only can open a as (eπ(1) , . . . , eπ(N ) ) for a fixed permutation π, i.e., if we repeat this procedure with different lists (e1 , . . . , eN ) the same permutation must be used

414

D. Wikstr¨ om

by the committer every time. We can not prove this, but it is easy to see that if it also can open a to a permutation π, then it must use this permutation every time. Recall that in our application, each mix-server proves knowledge of how to open a during the offline phase. Thus, if a witness for the following relation can be extracted in the online phase we reach a contradiction. This suffices to prove the overall security of a mix-net.   perm Definition 3. The relation Rck consists of all ck , (a , s[N ] , s0 , s[N ] , s0 ) such that Mapck (a , s[N ] ) = Comeck ((sπ(1) , . . . , sπ(N ) ), s0 ), Mapck (a , s[N ] ) = Comeck ((sπ (1) , . . . , sπ (N ) ), s0 ), π  = π  , and si  = sj and si  = sj for all i  = j. 3.2

Proof of Knowledge of Opening

We now explain how we can construct, from any proof of a shuffle of El Gamal ciphertexts over a prime order group Gp , a proof of knowledge that a Pedersen permutation commitment indeed is a commitment to a permutation.   open Definition 4. The relation Rck consists of all (ck , a ), (π, r ) such that a = Comck (π, r ). Protocol 1 (Proof of Knowledge of Correct Opening). Common Input: Pedersen commitment parameters g, g1 , . . . , gN ∈ Gp and a commitment (a1 , . . . , aN ) ∈ GN p . Private Input: Permutation π ∈ SN and exponents r1 , . . . , rN ∈ Zp such that ai = g ri gπ−1 (i) . 



1. P chooses ri ∈ Zp and h ∈ Gp randomly, computes ai = g ri ai and bi = hri +ri , and hands (a1 , . . . , aN ) and (h, b1 , . . . , bN ) to V.  2. P proves to V that it knows ri such that ai = g ri ai . 3. P and V view (h, g) as an El Gamal public key, and P uses its random com mitment exponents r1 + r1 , . . . , rN + rN to give a proof of a shuffle that the   list (b1 , a1 ), . . . , (bN , aN ) is a re-encryption and permutation of the list of trivial ciphertexts (1, g1 ), . . . , (1, gN ) using the public key (h, g), i.e., it proves that it   knows some ri such that (bi , ai ) = (hri , g ri gπ−1 (i) ).

Proposition 2. The protocol inherits properties of the proof of a shuffle. 1. If the proof of a shuffle is public-coin, overwhelmingly (computationally) sound, and a proof of knowledge, then so is the protocol above. 2. If the proof of a shuffle is honest verifier (computationally under assumption A) zero-knowledge, then the above protocol is computationally zero-knowledge under the DDH assumption (and assumption A). A proof is given in the full version. Without the blinding exponent ri the protocol is not even computationally zero-knowledge, since the adversary could in principle know ri . Some proofs of shuffles do not satisfy the standard computational versions of soundness, proof of knowledge, and zero-knowledge. In those cases

A Commitment-Consistent Proof of a Shuffle

415

the correspondingly more complicated security properties are also inherited, but we use the above proposition for simplicity. Readers with deeper understanding of proofs of shuffles should note that the basic principles of any proof of a shuffle can be used directly to construct a more efficient protocol, but this is not our focus here. We stress that the above simple solution is presented for completeness and ease of presentation. It is non-trivial to extend the above result to groups of composite order such as those considered in Construction 1. 3.3

Proof of Knowledge of Equal Exponents

Recall from our sketch in Section 2.1 that in our commitment-consistent proof N of a shuffle, the prover essentially hands the product i=1 (ci )eπ(i) to the verifier and shows that the exponents used are those committed to in a commitment Come (eπ(1) , . . . , eπ(N ) ). More precisely, we assume that: {h1 , . . . , hk } is a generator set of the group Cpk of ciphertexts, ck is a commitment param eter, and that the prover hands N (ci )eπ(i) to the verifier in blinded form,   k i=1 e si N  eπ(i) i.e., it hands Comck (s[k] , s0 ), i=1 hi to the verifier for random i=1 (ci ) exponents s[k] (and s0 ∈ Rck ), and then proves that it knows all of these exponents and that they are consistent with the exponents committed to in Comeck ((eπ(1) , . . . , eπ(N ) ), e0 ) for some e0 ∈ Rck . Thus, we construct a protocol for the following relation. Definition 5. From a scheme (Gene , Come ) for [0, 2κcom − 1]N , a commitment parameter ck output by Gene , and a public key pk ∈ PK we define  eq Rck,pk to consist of all (pk , ck, h[k] , c[N ] , a, b1 , b2 ), (e0 , e[N ] , s0 , s[N ] ) satisfying   ei a = Comeck (e[N ] , e0 ), b1 = Comeck (s[k] , s0 ), and b2 = ki=1 hsi i N i=1 ci . t If the largest cyclic subgroup of Cpk has order q = i=1 pi with pi ≥ 2κc , and a group Gq of order q is available for which the DL problem is hard, then a sigma protocol with the challenge chosen from [0, 2κc − 1], can be constructed using fairly standard methods. For completeness we give such a protocol in the full version. Otherwise, we can either use Pedersen commitments over some prime order group Gp and use a proof of equal exponents over groups of different orders using a Fujisaki-Okamoto commitment [11] as a “bridge”, or we can replace the permutation commitment by a corresponding Fujisaki-Okamoto commitment directly. It is not hard to derive a shuffle of such commitments from Wikstr¨ om’s shuffle [26]. The drawback of using Fujisaki-Okamoto commitments is that they are based on the use of an RSA modulus, and such moduli are costly to generate in a distributed setting. We detail both solutions in the the full version. 3.4

Shuffle-Friendly Maps

To randomly shuffle a list of homomorphic ciphertexts (c1 , . . . , cN ) usually means that each ciphertext is randomly re-encrypted and the resulting ciphertexts randomly permuted, but there are other possible shuffles. For the El Gamal cryptosystem, one can also partially decrypt during shuffling [12], or if a special key

416

D. Wikstr¨ om

set-up is used one can avoid random re-encryption entirely [26]. There are also at least two types of shuffles of (variants of) Paillier [20] ciphertexts. A careful look at these shuffles reveal that they are all defined by evaluating a homomorphic map and permuting the result. Definition 6. A map φpk is shuffle-friendly for a public key pk ∈ PK of a homomorphic cryptosystem if it defines a homomorphic map φpk : Cpk × Rpk → Cpk . Example 1. Using the El Gamal cryptosystem over a group Gp with public key pk = (g, y), where y = g x and x is the secret key, we have Mpk = Gp , Rpk = Zp , and Cpk = Gp × Gp . Then φ(g,y) ((u, v), r) = (g r u, y r v) describes re-encryption when r ∈ Zp is randomly chosen. If yi = g xi , y = y1 y2 y3 , and x = x1 + x2 + x3 , 1 then φx(g,y) ((u, v), r) = (g r u, (y/y1)r u−x1 v) denotes partial decryption and reencryption using the secret share x1 and randomness r. The decryption shuffle in [26] can be described similarly. Example 2. Using the Paillier cryptosystem with a public key pk = n consisting of a random RSA modulus, we have Mpk = Zn , Rpk = Z∗n , and Cpk = Z∗n2 with encryption defined by Epk (m, r) = (1 + n)m rn mod n2 . Re-encryption is then defined by φn (c, r) = crn mod n2 . Suppose we wish to prove that a ciphertext c is the result of invoking a particular shuffle-friendly map φpk on another ciphertext c. If the shuffle-friendly map φpk is public, e.g., it represents re-encryption, then what is needed is a proof that there exists some randomness r such that φpk (c, r) = c . If the shuffle-friendly map itself is not public, e.g., re-encryption and partial decryption, then the map φpk must then be defined by some hidden parameters. Without loss we assume that the map is defined by some relation to the public key. In the typical cases, the public key defines a secret key and the shuffle-friendly map is defined by the secret key. We consider a situation the output ciphertext c is committed kwhere e si  to as (Comck ((s1 , . . . , sk ), s0 ), c i=1 hi ), and define a relation for a shufflefriendly map as follows. Definition 7 (Shuffle-Friendly Relation). Let pk ∈ PK, let φpk be a shuffle-friendly map for pk and let  ck be a commitment parameter.  We define Rφmap to consist of all pairs (pk , ck , h , c, b , b ), (r, s , s ) such that 1 2 0 [k] [k] pk k e si b1 = Comck (s[k] , s0 ) and b2 = φpk (c, r) i=1 hi . Example 3 (Example 1 continued). Note that Cpk = Gp × Gp is generated by h1 = (g, 1) and h2 = (1, g) with component-wise multiplication. If we consider a re-encryption and permutation shuffle and use Pedersen commitments over the group Gp with parameter ck = (g1 , g2 ), then the relation consists of all   pairs ((g, y), (g1 , g2 ), (u, v), b1 , b2 ), (r, s0 , s1 , s2 ) such that b1 = g s0 g1s1 g2s2 and b2 = hs11 hs22 (g r u, y r v). For the typical shuffle-friendly maps of the El Gamal and Paillier cryptosystems, it is well known how to construct sigma protocols [7] for the corresponding shuffle-friendly relation using standard methods. We give some examples in the full version.

A Commitment-Consistent Proof of a Shuffle

3.5

417

Details of the Commitment-Consistent Proof of a Shuffle

Next we give a detailed description of the protocol that allows a mix-server to prove in the online phase that it re-encrypted and permuted its input and that the permutation used is the same permutation it committed to in the offline phase. We denote by κr a parameter that decides how well the commitments hide the committed values. The two subprotocols can be executed in parallel and the second step of the protocol can be combined with the first move of the combined subprotocols. Protocol 2 (Commitment-Consistent Proof of a Shuffle). Common Input: A public key pk of a cryptosystem CS, a generating set {h1 , . . . , hk } π of Cpk , a commitment parameter ck , a permutation commitment a ∈ Kck , cipherN N texts (c1 , . . . , cN ) ∈ Cpk , and (c1 , . . . , cN ) ∈ Cpk . Private Input: Permutation π ∈ SN , s ∈ Rck and r1 , . . . , rN ∈ Rpk such that a = Comck (π, s ), and ci = φpk (cπ(i) , rπ(i) ). 1. V chooses a seed z ∈ {0, 1}κ randomly and hands it to P. Then both parties set (e1 , . . . , eN ) = PRG(z), where ei ∈ {0, 1}κe , and computes a = Mapck (a , (e1 , . . . , eN )). 2. P chooses t0 ∈ Rck and t1 , . . . , tk ∈ [0, 2κ+κr − 1] randomly, and computes and hands to V k N b1 = Comeck ((t1 , . . . , tk ), t0 ) and b2 = htii (ci )eπ(i) . i=1

i=1

3. P proves, using a proof of equal exponents, that it knows exponents t0 , . . . , tk , (e1 , . . . , eN ) (computed as (eπ(1) , . . . , eπ(N) )), and e0 (computed as Rand(s , (e1 , . . . , eN ))) such that b1 = Comeck ((t1 , . . . , tk ), t0 ) , b2 = a = Comeck ((e1 , . . . , eN ), e0 ) .

k i=1

htii

N i=1



(ci )ei , and

4. P proves, using  a proof of a shuffle map, that it knows exponents t0 , . . . , tk and ei r (computed as N i=1 ri ) such that  N

k b1 = Comeck ((t1 , . . . , tk ), t0 ) and b2 = htii φpk cei i , r . i=1

i=1

Note that the protocol and the proposition below are quite general; they apply for all the usual homomorphic cryptosystems, any shuffle-friendly map, and any number of ciphertexts shuffled in parallel (this is considered as a separate case in [18]). It even applies to mixed settings where ciphertexts from different cryptosystems are shuffled in parallel. To state the security properties of the protocol we need to define a relation that captures a shuffle. Definition 8. Let pk ∈ PK, let φpk be a shuffle-friendly map for pk . Then we define the shuffle relation Rφshuf to consist of all pairs of the form pk     (pk , c[N ] , c[N ] ), (π, r[N ] ) with ci = φpk (cπ(i) , rπ(i) ).

418

D. Wikstr¨ om

perm twin In the proposition we consider the relation Rφshuf ∨ Rck ∨ Rck . In general, for pk two relations R1 and R2 , the relation R1 ∨ R2 denotes the relation consisting of all pairs ((x1 , x2 ), w) such that (x1 , w) ∈ R1 or (x2 , w) ∈ R2 .

Proposition 3. Let the subprotocols be overwhelmingly complete sigma protoeq twin cols for the relations Rck,pk ∨Rck and Rφmap respectively, and let the commitment pk scheme be statistically hiding. Then for every pk ∈ PK and ck ∈ CK, the protocol is an sound public-coin perm twin honest verifier statistical zero-knowledge proof of the relation Rφshuf ∨Rck ∨Rck , pk shuf and overwhelmingly complete for witnesses of Rφpk . It is a proof of knowledge withnegligible knowledge error of a string w such perm twin that Rφshuf (pk , c[N ] , c[N ] ), (w, r[N ] ) = 1, Rck (ck , w) = 1, or Rck (ck , w) = 1, is pk satisfied for some randomness r[N ] ∈ Rpk , where we use the notation for inputs to the protocol as defined above. Remark 1. It is observed in [26] that it does not suffice that a proof of a reencryption and permutation shuffle is sound to be used in a provably secure mixnet. The permutation used by the mix-server to shuffle must also be extractable. However, extracting the permutation suffices. A proof of the proposition is given in the full version. The basic idea is explained already in Section 2.1, except that in the general case the order q of the maximal cyclic subgroup of Cpk may not be prime or may even be unknown. Note that if q is not prime, then the “random vectors” are in fact defined over a ring and not over a field, and consequently they are not vectors at all. Thus, not all elements are invertible, which potentially is a problem when trying to find a linear combination of the “random vectors” equal to any standard unit vector, which is needed to extract a witness. Since we assume that all factors of the order of Cpk are large and all elements that must be inverted are random, this is not a problem and a witness can be extracted. However, if it is infeasible to compute the factorization of the order of Cpk , or if the order itself is unknown, then this seems difficult. Fortunately, it suffices for the overall security of the mix-net that only the permutation can be extracted.

4

Application To Mix-Nets

At this point the reader should be comfortable with the idea that a proof of a shuffle can be split into a relatively costly offline part (Protocol 1) and a very efficient online part (Protocol 2), but how exactly do they fit into a mix-net? Below we give a brief informal description of a mix-net based on the El Gamal cryptosystem over a group Gp of prime order p. This illustrates how our protocols are used and gives an idea of the complexity of a complete mix-net using our approach. Offline Phase 1. The mix-servers, M1 , . . . , Mk , run a distributed key generation protocol to generate a joint public key (g, y) such that the corresponding secret key x, with y = g x , is secret shared among the mix-servers.

A Commitment-Consistent Proof of a Shuffle

419

2. Mj chooses rj,i ∈ Zp randomly and computes (g rj,i , y rj,i ) for i = 1, . . . , N . 3. Mj chooses a random permutation πj ∈ SN , publishes a permutation commitment aj = Com (πj ), and proves knowledge of the committed permutation using Protocol 1 (and verifies the proofs of knowledge of all other mix-servers). Online Phase 4. Si chooses ri ∈ Zp randomly, computes (u0,i , v0,i ) = E(g,y) (mi , ri ), where mi ∈ Zp is its message, and publishes this ciphertext. 5. Let L0 = (u0,i , v0,i )N i=1 be the input ciphertexts. For l = 1, . . . , k: (a) If l = j, then Mj computes (uj,i , vj,i ) = (g rj,i uj−1,πj (i) , y rj,i vj−1,πj (i) ), publishes Lj = (uj,i , vj,i )N i=1 , and proves using Protocol 2 that Lj−1 and Lj are consistent with aj . (b) If l  = j, then Mj verifies the proof of Ml , i.e., that Ll−1 and Ll are consistent with al . 6. The mix-servers perform a threshold decryption of Lk using their shares of x and output the list of plaintexts (mπ(1) , . . . , mπ(N ) ), where π = πk · · · π1 . The random challenges needed in the subprotocols are generated jointly using a coin-flipping protocol over a broadcast channel or bulletin board. Thus, all verifiers jointly either accept or reject proofs. It is natural to ask why the security property of our commitment-consistent proof suffices, since it is sound for perm twin Rφshuf ∨ Rck ∨ Rck and not for Rφshuf . This follows from the proof of knowledge pk pk property. For any successful prover there exists an extractor that outputs: a perm twin valid permutation π used to shuffle, a witness for Rck , or a witness for Rck . The second type of output directly contradicts the security of the commitment scheme. The third type of output combined with knowledge of how to open aj (such an opening can be extracted during the offline phase), also contradicts the security of the commitment scheme. Thus, in a simulation the extractor outputs the permutation with overwhelming probability, which suffices to prove the overall security of the mix-net. Depending on the secret sharing threshold, all mix-servers may not need to shuffle the ciphertexts, and there are obvious ways to avoid the assumption that all senders submit an input. Many details are of course missing from the above description, but in the El Gamal case all subprotocols missing from the description are available. Distributed key generation can be done using Feldman and Pedersen secret sharing [10,21]. The submission of inputs must allow extraction of the plaintexts of corrupt senders without using the secret key of the cryptosystem. This can be done [27] based on the Cramer-Shoup cryptosystem [8] in such a way that each mix-server essentially pays the cost of checking the validity of N Cramer-Shoup ciphertexts. Batch techniques [4] can be used to reduce this further if most ciphertexts are expected to be valid, and validity checks can be done concurrently with receiving new ciphertexts. Random challenges can be generated using Pedersen verifiable secret sharing [21]. The sharing phase of many coins can be pre-computed, but since we only need a

420

D. Wikstr¨ om

small number of bits in each challenge this type of optimization does not give much. Finally, during threshold decryption each mix-server must exponentiate N group elements to decrypt, but proving that this was done correctly can be done using batch proofs [4]. To summarize, the online running time of the mixnet is roughly the time to: validate N Cramer-Shoup ciphertexts, run the prover or verifier of k commitment-consistent proofs of shuffles of lists of ciphertexts of length N , decrypt N El Gamal ciphertexts, and prove or verify correctness of joint decryption, which is done using a batch proof. Recall that κe denotes the bit-size of elements in random “vectors”, κc denotes the bit-size of challenges, and κr decides the statistical error in simulations and also the completeness of our subprotocols. For practical security parameters, e.g., κ = 1024, κe = κc = 80 and κr = 20, we estimate the complexity of our protocol to N/2 square-and-multiply exponentiations. This can be reduced by a factor of 1/5 if simultaneous exponentation [17] is used, giving a complexity corresponding to N/10 square-and-multiply exponentations (see full version for details). Thus, our commitment-consistent proof of a shuffle is several times faster in the online phase than any of the known proofs of shuffles. As far as we know this makes our mix-net faster in the online phase than any previous mix-net.

Acknowledgments We thank Jun Furukawa and Andy Neff for helpful comments.

References 1. Abe, M., Imai, H.: Flaws in some robust optimistic mix-nets. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 39–50. Springer, Heidelberg (2003) 2. Adida, B., Wikstr¨ om, D.: How to shuffle in public. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 555–574. Springer, Heidelberg (2007) 3. Adida, B., Wikstr¨ om, D.: Offline/online mixing. In: Arge, L., Cachin, C., Jurdzi´ nski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 484–495. Springer, Heidelberg (2007) 4. Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 170–191. Springer, Heidelberg (1998) 5. Benaloh, J., Tuinstra, D.: Receipt-free secret-ballot elections. In: 26th ACM Symposium on the Theory of Computing (STOC), pp. 544–553. ACM Press, New York (1994) 6. Chaum, D.: Untraceable electronic mail, return addresses and digital pseudo-nyms. Communications of the ACM 24(2), 84–88 (1981) 7. Cramer, R., Damg˚ ard, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)

A Commitment-Consistent Proof of a Shuffle

421

8. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) 9. Desmedt, Y., Kurosawa, K.: How to break a practical MIX and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 557–572. Springer, Heidelberg (2000) 10. Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 427–438. IEEE Computer Society Press, Los Alamitos (1987) 11. Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997) 12. Furukawa, J., Miyauchi, H., Mori, K., Obana, S., Sako, K.: An implementation of a universally verifiable electronic voting scheme based on shuffling. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 16–30. Springer, Heidelberg (2003) 13. Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001) 14. El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985) 15. Groth, J.: A verifiable secret shuffle of homomorphic encryptions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 145–160. Springer, Heidelberg (2003) 16. Jakobsson, M., Juels, A., Rivest, R.: Making mix nets robust for electronic voting by randomized partial checking. In: 11th USENIX Security Symposium, pp. 339– 353. USENIX (2002) 17. Menezes, A., Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997) 18. Neff, A.: A verifiable secret shuffle and its application to e-voting. In: 8th ACM Conference on Computer and Communications Security (CCS), pp. 116–125. ACM Press, New York (2001) 19. Neff, A.: Private communication (May 2008) 20. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999) 21. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992) 22. Pfitzmann, B.: Breaking an efficient anonymous channel. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 332–340. Springer, Heidelberg (1995) 23. Sako, K., Killian, J.: Reciept-free mix-type voting scheme. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 393–403. Springer, Heidelberg (1995) 24. Wikstr¨ om, D.: Five practical attacks for “optimistic mixing for exit-polls”. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 160–174. Springer, Heidelberg (2004) 25. Wikstr¨ om, D.: A universally composable mix-net. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 315–335. Springer, Heidelberg (2004) 26. Wikstr¨ om, D.: A sender verifiable mix-net and a new proof of a shuffle. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 273–292. Springer, Heidelberg (2005) 27. Wikstr¨ om, D.: Simplified submission of inputs to protocols. Cryptology ePrint Archive, Report 2006/259 (2006), http://eprint.iacr.org/

Finite Field Multiplication Combining AMNS and DFT Approach for Pairing Cryptography Nadia El Mrabet1 and Christophe Negre2 1

LIRMM Laboratory, I3M, CNRS, University Montpellier 2, France [email protected] 2 DALI/ELIAUS, University of Perpignan, France

Abstract. Pairings over elliptic curves use fields Fpk with p ≥ 2160 and 6 < k ≤ 32. In this paper we propose to represent elements in Fp with AMNS sytem of [1]. For well chosen AMNS we get roots of unity with sparse representation. The multiplication by these roots are thus really efficient in Fp . The DFT/FFT approach for multiplication in extension field Fpk is thus optimized. The resulting complexity of a multiplication in Fpk combining AMNS and DFT is about 50% less than the previously recommended approach [2]. Keywords: Pairing, finite fields, AMNS, discrete Fourrier transform.

1

Introduction

Bilinear pairing in cryptography got an increasing interest during the past decade. Pairings were first use to attack discrete logarithm problem over elliptic curves like in MOV attack [3]. Since 2001, they are used also in a constructive way. Specifically, new important and original protocols using bilinear pairing have been proposed (e.g. Identity Based Cryptography [4] or Short Signature [5]). The most popular pairings used in pairing cryptography are defined over elliptic curves E(Fqk ) (namely the Weil, Tate, ηT and Ate pairings [6]). Pairing evaluation over elliptic curve E(Fqk ) involves arithmetical operations as multiplications and additions in the field Fqk [2]. Fields Fqk used in elliptic pairings are specific : q must have bit length bigger than 160 for security reasons and 6 < k < 32 for optimization and security reasons. For now, the principal method [2] proposed to multiply elements in Fqk uses a mix of Karatsuba and Toom-Cook multiplications methods. Consequently, they focus on k of the form k = 2i 3j , the resulting fields are called friendly field and the cost of a multiplication in Fqk is equal to 3i 5j multiplications in Fq . Recently Discrete Fourier Transform approach has been proposed [7] to implement multiplication in Fq6 where q = 3n . In practice Discrete Fourier Transform approach is interesting for quite large extension degree k. But here the underlying fields are quite big, so if the use of DFT can save even a small number of multiplications in Fq this can be advantageous. In this paper, we extend the use of DFT for fields Fpk where p is now a prime integer. The multiplication with DFT requires, in the best case, 2k − 1 C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 422–436, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Finite Field Multiplication Combining AMNS and DFT Approach

423

multiplications in Fp and O(k 2 ) multiplications by roots of unity. If FFT can be used, the cost of DFT approach becomes O(n log(n)) operations in Fp . If the field Fp is represented in usual way, the DFT approach remains too costly. Indeed, in this case the roots of unity are generally not nice (e.g. with a dense binary representation) and multiplications by these roots are costly. We propose here to use the AMNS system of Fp defined in [1]. In this situation we can manage to get roots of unity with nice representation, providing multiplications which are almost cost free. These multiplications can thus be neglect and the resulting multiplication algorithm in Fpk requires only 2k − 1 multiplications in Fp . The paper is organized as follows : in Section 2 we recall the definition of the AMNS for representing integers modulo p and the arithmetic in this system. In Section 3 we recall the discrete Fourier transform approach for multiplication in Fpk and extend it to specific cases in Subsection 3.3. We then focus on DFT friendly fieds (Section 4) which get benefit of a combination of AMNS and DFT for field multiplicattion. We evaluate the complexity of our approach for several field extensions and compare them to friendly fields. We finally conclude in Section 5.

2

Prime Field Arithmetic in AMNS System

Modular arithmetic operations like addition or multiplication modulo p consist to add or multiply two integers 0 ≤ a, b < p and reduce the result modulo p if it is bigger than p. Efficient arithmetic modulo a prime integer p is generally deeply related to the system of representation used to represent the elements. Generally integers are  expressed as a sum a = i=0 ai γ i where 0 ≤ ai < γ and γ  has approximately the size of p. In practice γ is often chosen as 2w where w is the size of computer words. Here we will use an original system of representation in Fp introduced in [1] by Bajard, Imbert and Plantard called the Adapted Modular Number System. 1/ The main idea of the AMNS consists to relax the fact that γ ∼ take γ = p . We freely in [0, p] such that each 0 ≤ a < p can be written as a = i=0 ai γ i mod p with ai ∈ [0, p1/ ]. The advantage is that γ can be taken as γ  = λ mod p where λ is small. Definition 1 (AMNS [1]). An Adapted Modular Number System B, is a quadruple (p, , γ, ρ)E , where E = t − λ such that γ  − λ = 0 mod p and such −1 that for all positive integers 0 ≤ a < p there exists a polynomial a(t) = =0 ai ti satisfying a(γ) = a mod p, deg(a(t)) < , (1) a∞ = maxi=1 |ai | < ρ. The polynomial a(t) is a representation of a in B. Generally in AMNS we have γ ∼ = p and small coefficients |ai | < ρ ∼ = p1/ .

424

N. El Mrabet and C. Negre Table 1. The elements of Z17 in B = M N S(17, 3, 7, 2) 0 0

1 1

2 −t2

6 −1 + t

7 t

8 9 1 + t −t − 1

12 13 14 −t − t2 1 − t − t2 −1 + t2

3 4 5 1 − t2 −1 + t + t2 t + t2

15 t2

10 −t

11 −t + 1

16 −1

Example 1. In Table 1, we give the representation in the AMNS B = (17, 3, 7, 2) for each element modulo p = 17. In particular, we can verify that if we evaluate (−1 + t + t2 ) in γ, we have −1 + γ + γ 2 = −1 + 7 + 49 = 55 ≡ 4 mod 17. We have also that  − 1 + t + t2∞ = 1 < 2. In [8] the authors showed that it is possible to build an AMNS of length  when it is possible to compute a polynomial m(γ) = 0 mod p with m∞ small. Proposition 1. Let p be a prime integer and λ ∈ Z,  ∈ N such that the polynomial E = t − λ admits a root γ in Fp . Then the following statements are true. i) There exists a polynomial m such that m(γ) = 0 and m∞ ≤ (!)1/ p1/ . ii) Let σ = m∞ and ρ = 2|λ|σ then the system B = (p, , γ, ρ)E is an AMNS of Fp . Fields used in cryptographic pairing have a p randomly constructed. Thus multiplication modulo p cannot use some rare property of p, like the primes considered in [1]. The better algorithm in AMNS which does not use rare property of prime p is the Montgomery-like multiplication presented in [8]. Algorithm 1: AMNS Multiplication Input : a, b ∈ B = (p, , γ, ρ)E with E = t − λ Data : m a polynomial such that m(γ) ≡ 0 (mod p) an integer φ and m = −m−1 mod (E, φ) Output: r(t) such that r(γ) = a(γ)b(γ)φ−1 mod p begin c ← a × b mod E; q ← c × m mod (E, φ) ; r ← (c + q × m mod E)/φ; end According to [8] this algorithm is correct if φ ≥ 2λρ. Concerning the implementation of Algorithm 1, it requires essentially three polynomial multiplications where polynomial coefficients are smaller than ρ and φ.

Finite Field Multiplication Combining AMNS and DFT Approach

425

Such polynomial multiplication can be implemented using classical approach : for really small length  schoolbook method are generally recommended, for bigger  Karatsuba or Toom-Cook should be better. We will use here  ≤ 60, thus, we will always use one of this two methods.

3

Field Extension Arithmetic

An extension field Fpk can be seen as the set of polynomials with coefficient in Fp and degree less than k Fpk = {U (X) ∈ Fp [X] s.t. deg U < k} . Arithmetic in this set is done modulo an irreducible polynomial P with degree k. Since p is large, the polynomial P can be taken, in general, with a binomial form X k − α with small α (cf. [2,9]). In this situation the multiplication modulo P of two elements U=

k−1 i=0

ui X i and V =

k−1 i=0

vi X i

consists first to compute the product W = U × V and then to reduce it modulo P . Since P is a binomial, the reduction modulo P is simple. We split W = W + X k W with deg W ≤ k and compute W + αW since X k ≡ α mod P . The main challenge is thus to perform efficiently the polynomial multiplication U ×V . 3.1

Polynomial Multiplication Using DFT

We recall here the Discrete Fourier Transform (DFT) approach for polynomial multiplication. This approach is a special case of the multi-evaluation/ interpolation strategy [10]. Multi-evaluation/interpollation perform a polynomial multiplication of two polynomials U and V by evaluating both of them in n ≥ 2k − 1 elements of Fp . Then we deduce the evaluation of W = U × V by computing term by term the evaluation of U and V . Finally we perform a Lagrange interpolation to get the polynomial form of W . In the DFT approach the evaluation set used is the set of n-th roots of unity. Specifically, let ω ∈ Fp be a primitive root of unity, then the DFT works as follow. 1. Multi-evaluation. Let U, V be two polynomials in Fp [X] with degree k. We compute the multi-evaluation of U ˆ = DF Tω (U ) = (U (1), U (ω), . . . , U (ω n−1 )). U This operation is usually called the Discrete Fourier Transform of U . The same is done for V . This operation can be done through a matrix vector product

426

N. El Mrabet and C. Negre

⎡

ω2 ω4

1 ω ⎢ 1 ω2 ˆ =⎢ U ⎢ .. ⎣.

··· ···

⎤ ⎡

ω k−1 ω (k−1)2 .. .

⎥ ⎢ ⎥ ⎢ ⎥·⎢ ⎦ ⎣

1 ω n−1 ω 2(n−1) · · · ω (k−1)(n−1)

⎤

u0 u1 .. .

⎥ ⎥ ⎥. ⎦

uk−1

ˆ and Vˆ 2. Term by term multiplications. They are performed on U ˆ = (ˆ W u1 × vˆ1 , u ˆ2 × vˆ2 . . . , uˆn × vˆn ), we get the multi-evaluation of W where W = U × V . 3. Interpolation. The interpolation consists to compute the polynomial form of W knowing its multi-evaluation in ω = (1, ω, ω 2 , . . . , ω (n−1) ). Lemma 1. Let Fp be a prime field and Let ⎡ 1 1 1 2 ⎢1 ω ω ⎢ ⎢ 1 ω2 ω4 Ω=⎢ ⎢ .. ⎣.

ω be a primitive n-th root of unity. ··· ··· ···

⎤

1 ω n−1 ω (n−1)2 .. .

⎥ ⎥ ⎥ ⎥ ⎥ ⎦

(2)

1 ω n−1 ω 2(n−1) · · · ω (n−1)(n−1) its inverse is given by ⎡

Ω −1

1 1 ⎢ 1 ω 2 1⎢ ⎢ = ⎢1 ω n ⎢ .. ⎣.

1 ω 2 ω 4

··· ··· ···

1

ω n−1 ω (n−1)2 .. .

⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦

(3)

1 ω n−1 ω 2(n−1) · · · ω (n−1)(n−1) where ω  = ω −1 = ω n−1 . ˆ and In this situation the interpolation is computed by applying Ω −1 to W keeping only the first 2k − 1 coefficients. We obtain ⎡ ⎤ ⎡ ⎤ 1 1 1 ··· 1 w ˆ1 2 n−1 ⎢ 1 ω ⎥ ω · · · ω ⎥ ⎢w ⎥ 2 1⎢ ⎢ ⎢ ˆ2 ⎥ ω 4 · · · ω (n−1)2 ⎥ W = ⎢1 ω ⎥ · ⎢ .. ⎥ . ⎥ ⎣ . ⎦ n ⎢ .. .. ⎣. ⎦ . w ˆn 2k−2 2(2k−2) (n−1)(2k−2) 1ω ω ··· ω Remark 1 (Montgomery representation.). We can avoid the division by n in the interpolation process. Indeed, if we use a Montgomery representation (cf [11]) of U and V = 1 U and V = 1 V. U n n

Finite Field Multiplication Combining AMNS and DFT Approach

427

and V we If we perfom DFT approach without the division by n to multiply U get V = n( 1 U ) × ( 1 V ) = W

, nU n n where W = U × V . In other words DFT multiplication without division by n is stable in Montgomery representation. This representation is also stable under addition and reduction modulo P . It can thus be used in a chain of multiplication/addition, like in pairing evaluation over elliptic curves. 3.2

Fast Fourier Transformation (FFT) n−1 Let U = i=0 ui X i ∈ Fp [X] and ω be a primitive root of unity. The fast Fourier transform (FFT) is an algorithm which performs efficiently the evaluation of U in ω = (1, ω, ω 2 , . . . , ω n−1 ). The FFT process is based on the following two-way splitting of U n/2−1 U1 = j=0 a2j X 2j , n/2−1 U2 = j=0 a2j+1 X 2j , such that U = U1 + XU2 .  = U (ω i ) be the i-th coefficient of U ˆ = DF Tω (U ). Let us also denote Let U[i] ˆ ˆ by U1 [i], U2 [i] the coefficients of DF Tω2 (U1 ) and DF Tω2 (U2 ) in {1, ω 2 , ω 4 , . . . , (ω 2 )n/2−1 }. If we evaluate U = U1 + XU2 in ω i and ω i+n/2 = −ω i , i < n/2 we get  =U 1 [i] + ω i U 2 [i] U[i] i   U [i + n/2] = U1 [i] − ω U2 [i] The computation DF Tω (U ) is thus reduced to the computation of DF Tω2 (U1 ) and DF Tω2 (U2 ). These computations can be done recursivelly. The resulting algorithm has a cost of n2 log2 (n) multiplications by ω i in Fp and n log2 (n) additions/subtractions. 3.3

Multiplication with DFT When n ≤ 2k − 2

DFT approach for multiplication uses evaluations and interpolation in a set of n ≥ 2k−2 roots of unity in order to get the correct product W . In some situations there is no primitive n-th root of unity with n ≥ 2k − 1 and n close to 2k − 1. In these situations DFT approach is not practical. We present here an extension of the DFT approach when there exists primitive a n-th root of unity smaller than 2k − 1. We focus here on two cases n = 2k − 2 and n = 2k − 4, which correspond to practical situations (see Section 4). The following approach generalizes the method presented in [7] when k = 3 and n = 6 to other value of k. Lemma 2. Let Fp be a prime field, ω be a primitive n-th root of unity and Ω k−1 and Ω −1 be the matrices defined in Lemma 1. We consider U = i=0 ui X i , k−1 V = i=0 vi X i and W = U × V and we assume that n = 2k − 2. Then W can be computed as follow.

428

1. 2. 3.

N. El Mrabet and C. Negre

ˆ = DF Tω (U ), Vˆ = DF Tω (V ). U w2k−2 = uk−1 × vk−1 The coefficients wi for i = 0, . . . , 2k − 3 are computed as ⎡ ⎤ ⎡ ⎤ w0 u ˆi × vˆi − w2k−2 ⎢ w1 ⎥ ⎢u ⎥ ⎢ ⎥ ⎢ ˆi × vˆi − w2k−2 ⎥ ⎢ .. ⎥ = Ω −1 · ⎢ ⎥. .. ⎣ . ⎦ ⎣ ⎦ . w2k−3

(4)

u ˆi × vˆi − w2k−2

Proof. Since n = 2k − 2 and U andV have degree k − 1 then U × V = W = n n i i ˆ w i=0 i X has degree n and W = i=0 wi X . The evaluation W of W in the i n elements ω gives ⎧ w ˆ0 = W (1) = w0 + w1 + . . . + wn−1 + wn ⎪ ⎪ ⎪ n−1 ⎪ w + wn ω n ⎪ ⎨ ˆ1 = W (ω)2 = w0 + w1 ω +2. . . + wn−1 ω w ˆ2 = W (ω ) = w0 + w1 (ω ) + . . . + wn−1 (ω 2 )n−1 + wn (ω 2 )n . ⎪ .. .. ⎪ ⎪ . . ⎪ ⎪ ⎩ w ˆn−1 = W (ω n−1 ) = w0 + w1 (ω n−1 ) + . . . + wn−1 (ω n−1 )n−1 + wn (ω n−1 )n Now, since ω n = 1, we have (ω i )n = 1 for i = 1, . . . , n − 1. The right part of the previous equations rewrites as ⎧ w ˆ0 = W (1) = w0 + w1 + · · · + wn ⎪ ⎪ ⎪ n−1 ⎪ w + wn ⎪ ⎨ ˆ1 = W (ω)2 = w0 + w1 ω +2· · · + wn ω w ˆ2 = W (ω ) = w0 + w1 (ω ) + · · · + wn−1 (ω 2 )n−1 + wn (5) ⎪ .. .. ⎪ ⎪ . . ⎪ ⎪ ⎩ w ˆn−1 = W (ω n−1 ) = w0 + · · · + wn−1 (ω n−1 )n−1 + wn The coefficient wn is already known since wn = w2k−2 = uk−1 vk−1 . Using (5), we remark that the vector (w ˆ0 − wn , w ˆ1 − wn , . . . , w ˆn−1 − wn ) is the discrete n−1  Fourier transform of the polynomial W = i=0 wi X i . Thus we get back to the coefficients of W  by computing  t ˆ0 − wn w ˆ1 − wn · · · w ˆn−1 − wn ) . Ω −1 · w This corresponds to Eq. (4). We focus now on the case n = 2k − 4. Lemma 3. Let Fp be a prime field and ω ∈ Fp a primitive n-th root of unity. k−1 k−1 Let U = i=0 ui X i and V = i=0 vi X i in Fp [X]. Let W = U × V and assume that n = 2k − 4, then the coefficients of W can be computed as follows. 1. 2. 3.

ˆ = DF Tω (U ), Vˆ = DF Tω (V ). U w2k−2 = uk−1 × vk−1 , w0 = u0 × v0 w2k−3 = uk−1 × vk−2 + uk−2 × vk−1

Finite Field Multiplication Combining AMNS and DFT Approach

429

4. The coefficients wi for i = 1, . . . , 2k − 4 are computed as ⎡ ⎤ ⎡ ⎤ w ˆ0 − w0 − wn+1 − wn+2 w1 ⎢ w2 ⎥ ⎢ ⎥ (w ˆ1 − w0 − wn+1 ω − wn+2 ω 2 )ω −1 ⎢ ⎥ ⎢ ⎥ 2 2 2 −2 ⎢ w2 ⎥ ⎥ −1 ⎢ ( w ˆ − w − w ω − w (ω ) )ω 2 0 n+1 n+2 ⎢ ⎥= Ω ·⎢ ⎥ (6) ⎢ .. ⎥ ⎢ ⎥ .. ⎣ . ⎦ ⎣ ⎦ . n−1 n−1 2 −(n−1) wn (wˆn−1 − w0 − wn+1 ω − wn+1 (ω ) )ω where Ω −1 is defined in Eq. (3). Proof. The proof is similar to the proof Lemma 2. Since n = 2k − 4 and U and  i V have degree k − 1 then U × V = W = n+2 w i X has degree n + 2 = 2k − 2. i=0 ˆ of W in the n elements ω i gives The evaluation W ⎧ w ˆ0 = W (1) = w0 + w1 + · · · + wn + wn+1 + wn+1 ⎪ ⎪ ⎪ n n+1 ⎪ w ˆ + wn+2 ω n+2 ⎪ 1 = W (ω) = w0 + w1 ω + · · · + wn ω + wn+1 ω ⎪ ⎪ 2 2 n 2 ⎨ w ˆ2 = W (ω ) = w0 + w1 (ω ) + · · · + wn ω + wn (ω )n + wn+2 (ω 2 )n+2 .. .. ⎪ . . ⎪ ⎪ ⎪ n−1 n−1 ⎪ w ˆ = W (ω ) = w ) + · · · + wn (ω n−1 )n ⎪ n−1 0 + w1 (ω ⎪ ⎩ +wn+1 (ω n−1 )n+1 + wn+2 (ω n−1 )n+2 Now, since ω n = 1, we have (ω i )n+1 = ω i and (ω i )n+2 = (ω i )2 for i = 1, . . . , n− 1 in the right part of the previous equations. We get for w ˆi ⎧ w ˆ0 = W (1) = w0 + w1 + · · · + wn + wn+1 + wn+2 ⎪ ⎪ ⎪ n ⎪ w ω + wn+1 ω 2 ⎪ ⎨ ˆ1 = W (ω)2 = w0 + w1 ω +2· · · + wn ω + w2n+1 n w ˆ2 = W (ω ) = w0 + w1 (ω ) + · · · + wn (ω ) + wn+1 ω 2 + wn+2 (ω 2 )2 ⎪ .. .. ⎪ ⎪ . . ⎪ ⎪ ⎩ w ˆn−1 = W (ω n−1 ) = w0 + · · · + wn (ω n−1 )n + wn+1 ω n−1 + wn+2 (ω n−1 )2 The three coefficients w0 , wn+1 , wn+2 are already known. Then we rewrite the previous equations as follows ⎧ w ˆ0 − w0 − wn+1 − wn+2 = w1 + · · · + wn−1 ⎪ ⎪ ⎪ (w ˆ1 − w0 − wn+1 ω − wn+2 ω 2 )ω −1 = w1 + · · · + wn ω n−1 ⎪ ⎨ 2 2 2 −2 2 n−1 ⎪ ⎪ ⎪ ⎪ ⎩

(w ˆ2 − w0 − wn+1 ω − wn+2 (ω ) )ω

.. . (w ˆn−1 − w0 − wn+1 ω n−1 − wn+1 (ω n−1 )2 )ω −(n−1)

= w1 + · · · + wn−1 (ω ) .. . = w1 + · · · + wn−1 (ω n−1 )n−1

We remark now that the right part corresponds to the evaluation of the polyn−1 i  nomial W  = i=0 wi+1 X . Consequently we get the coefficients of W by computing the matrix vector product ⎡ ⎤ ⎡ ⎤ w ˆ0 − w0 − wn+1 − wn+2 w1 ⎢ w2 ⎥ ⎢ ⎥ (w ˆ1 − w0 − wn+1 ω − wn+2 ω 2 )ω −1 ⎢ ⎥ ⎢ ⎥ 2 2 2 −2 1 ⎢ w2 ⎥ ⎢ ⎥ (w ˆ2 − w0 − wn+1 ω − wn+2 (ω ) )ω ⎢ ⎥= Ω·⎢ ⎥ ⎢ .. ⎥ n ⎢ ⎥ .. ⎣ . ⎦ ⎣ ⎦ . wn

(w ˆn−1 − w0 − wn+1 ω n−1 − wn+1 (ω n−1 )2 )ω −(n−1)

430

N. El Mrabet and C. Negre

This corresponds to Eq. (6). The previous Lemmas are just special cases. They can be extended to smaller value of n by increasing the number of precomputed wi for small indices i = 1, 2, . . . and big indices i = 2k − 2, 2k − 3, . . . before the interpolation process using Ω −1 . Remark 2. In the two situations of Lemma 2 and Lemma 3 we can use also Montgomery representation of polynomials to avoid division by n. For example = 1 U and V = 1 V , we if Lemma 2 is applied without the division by n to U n n

= 1 U × V for i = 0, . . . , 2k − 2. Only w obtain the coefficients w

i of W must 2k−1 n 1

be computed separatly w 2k−2 = n w2k−1 to get all the coefficients of W . The same strategy can be applied to Lemma 3 with 3 more multiplications by n1 . 3.4

Complexity of Different DFT Methods

We evaluate the complexity of the different DFT approaches. We distinguished the cases where DFT is performed through a matrix vector product and where DFT is performed using FFT algorithm. We express the costs in term of the number of operations in Fp : the number of multiplication by roots of unity, addition/subtraction, and multiplication. For multi-evaluation and interpolation we used the fact that the entries in Ω and Ω −1 are all powers of ω. We also assume that multiplication are done in Montgomery representation, in order to avoid the division by n1 (cf. Remark 1 and Remark 2). We obtain the complexity given in Table 2. Table 2. Complexity of DFT approaches Method # Mult. by ω i # Mult. # Add. General DFT 4nk − 3n n 4nk − 3n 3n General FFT log2 (n) n 3n log2 (n) 2 Lemma 2 3(2k − 3)2 2k (2k − 2)(6k − 8) Lemma 2 with FFT 3(k − 1) log2 (2k − 2) 2k 3(2k − 2) log2 (2k − 2) + (2k − 2) Lemma 3 3(2k − 5)2 + 2(2k − 5) 2k + 3 3(2k − 4)(2k − 4 − 1) + 2(2k − 4) Lemma 3 with FFT 3(k − 2) log2 (2k − 4) + 3(2k − 5) 2k + 3 3(2k − 4)(log2 (2k − 4) + 1)

4

DFT Friendly Field

We focus in this section on specific fields called DFT friendly fields. These fields admit an AMNS which provide efficient multiplication by roots of unity. 4.1

Definition of DFT Friendly Field

The main goal is to find a way to obtain fields Fp with n-roots of unity such that n ∈ {2k − 1, 2k − 2, 2k − 3} and such that the multiplication by these roots are really efficient. We propose to consider fields Fpk satisfying the following definition.

Finite Field Multiplication Combining AMNS and DFT Approach

431

Definition 2 (DFT Friendly Field). We call a DFT friendly field an extension field Fpk such that Fp admits an AMNS B = (p, , γ, ρ)E of length  and such that one of the following conditions holds 1. λ = 1 and  ∈ {2k − 1, 2k − 2, 2k − 4} and γ is primitive -th root of unity. 2. λ = −1 and  ∈ {k − 1, k − 2} and γ is primitive 2-th root of unity. Since we have roots of unity with appropriate order, we can use DFT approaches presented in Section 3 to perform the multiplication of elements in Fpk . Indeed the condition on  in each cases of Definition 2 enables us to use at least one of the strategies expressed in Subsection 3.1 or Lemma 2 and Lemma 3. In DFT Friendly fields, the roots of unity are the elements ±γ i . The multiplication by these roots can be done using the formula stated in the following Lemma.  i Lemma 4. Let an AMNS B = (p, , γ, ρ)E and a = n−1 i=0 ai γ be expressed in i B. The multiplication of a by the power γ of γ is given by aγ i = λan−i + λan−i+1 γ + · · · + λan−1 γ i−1 + a0 γ i + · · · + an−i−1 γ n−1 Proof. The proof is a direct consequence of the definition of an AMNS. In our case, the field Fp is represented with an AMNS where λ = ±1. Consequently the multiplication by ±γ i consists of only a cyclic shift, with eventually some changes of sign. The multiplication by ±γ i is almost free of computations. Consequently, they do not add multiplications. The total cost of an AMNS multiplication in term of operations on the finite field is given in Table 3. 4.2

Fields Used Pairing Cryptography

We recall here different methods used to construct ordinary elliptic curves and corresponding finite fields providing pairing. The curve order #E(Fp ) must have a big prime factor, called r and an extension degree 6 < k ≤ 32. To get such curve the most used method is based on Complex Multiplication (CM). The construction of a curve with the CM method requires to solve a system of equations (7) where the indeterminates are an integer D, the embedding degree k, the prime factor r, t the trace of the Frobenius on E(Fp ) and p the characteristic of the finite field: ⎧ ⎨ r | p + t − 1, r | pk − 1, for primes r, p, (7) ⎩ Dy 2 = 4p − t2 for some integer y. Several methods exist to solve this system. An overview of these different methods is given in [12]. We recall here the two following methods – The Miyaji-Nakabayashi-Takano (MNT) strategy is one of the first CM method [13] to construct elliptic curves suitable for ECC. It was extended

432

N. El Mrabet and C. Negre

by Barreto and Naehrig [14] to construct elliptic curves with embedding degree 12. These curves with embedding degree 12 are given by the following parametrization: k = 12, p = x4 + 36x3 + 24x2 + 6x + 1, r = 36x4 + 36x3 + 18x2 + 6x + 1, t = 6x2 + 1. – The second method which could be used in order to build curves with arbitrary embedding degree k is the Cocks-Pinch method [15]. This method generates curves with arbitrary r, such that #E(Fp )/r ≈ 2. The extension of the Cocks-Pinch method given in [16] provides smaller value for #E(Fp )/r. Their method can be applied for general embedding degree. For example in [16] they generated a family of curves with embedding degree 16. This family is given by the following polynomials: k = 16, for x ≡ ±25 mod(70) p = (x10 + 2x9 + 5x8 + 48x6 + 152x5 + 240x4 +625x2 + 2398x + 3125)/980, r = (x8 + 4x4 + 625)/61250, t = (2x5 + 41x + 35)/35. For all these constructions, the prime p is constructed randomly. Proposition 1 tells us that if there exists a primitive -th (or 2-th) root of unity, where  satisfies the conditions of Definition 2, then we can construct an AMNS satisfying Definition 2. For a random prime p, the probability that it has a primitive -th root of unity is roughly 1/( − 1). Indeed p has a root of unity if and only if p ≡ 1 mod . But prime are equally distributed in the set of classes modulo . Consequently for small value of , we can easily find a DFT friendly field Fp and an elliptic curve over this field providing practical pairing. 4.3

Complexity Comparison

We present in Table 3 the complexity of a multiplication in DFT friendly fields Fpk for different sizes of k. This complexity is given in term of the number of multiplications and additions in Fp . The complexity is deduced from Table 2 : we neglect the cost of the multiplication by a root of unity since it is almost cost free. Indeed, a multiplication by a root of unity consists only in cyclic shifts. We also specify if we use FFT or not. Table 3 we also give the complexity of the multiplication in friendly field using Karatsuba and Toom Cook multiplications [9]. We remark that even for small value of k, DFT approach seems competitive regarding to the number of multiplications. When no FFT can be used, the number of additions increases significantly and should make our approach incompetitive in these special cases.

Finite Field Multiplication Combining AMNS and DFT Approach

433

Table 3. Complexity comparison for practical extension degree k

5

Method

k

Karatsuba/Toom-Cook [2,9] Karatsuba/Toom-Cook [2,9] Subsection 3.1 with FFT and E = t8 + 1 Karatsuba/Toom-Cook [2,9] Lemma 2 with FFT and E = t8 + 1 Lemma 3 with FFT and E = t8 + 1  i Subsection 3.1 with E = 10 i=0 (−t) Karatsuba/Toom-Cook [2,9]  Lemma 2 with E = 10 (−t)i i=0 i Lemma 3 with E = 10 i=0 (−t) Karatsuba/Toom-Cook [2,9] Subsection 3.1 with FFT and E = t16 + 1 Lemma 2 with FFT and E = t16 + 1 Lemma 3 with FFT and E = t16 + 1 Karatsuba/Toom-Cook [2,9]

6 8 8 9 9 10 11 12 12 13 16 16 17 18 24

Cost of M ultFpk # Add. in Fp # Mult. in Fp 60 15 72 27 192 16 160 25 208 18 240 23 902 22 180 45 1408 24 1430 28 248 81 480 32 512 34 576 39 588 135

Conclusion

We have presented in this paper a new approach for multiplication in fields Fpk used in pairing cryptography. We used AMNS [1] to represent elements in Fp and DFT approach for extension field arithmetic. Specificaly we pointed out that some AMNS provide efficient multiplication by roots of unity and thus optimize DFT approach. Our approch decrease the number of multiplications, but increase the number of additions in Fp in order to compute a multiplication in Fpk . However, the number additional additions is not so important compared to the saved multiplications. The resulting multiplication in the extension field Fpk requires less multiplications in Fp for different practical sizes of k than previously recommended method [2,9]. Specifically for k ≥ 12 combined AMNS and DFT approach in DFT friendly fields, proposed in this paper, decreases the number of multiplications in Fp by 50%.

References 1. Plantard, T.: Modular arithmetic for cryptography. PhD thesis, LIRMM, Universit´e Montpellier 2 (2005) 2. Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005) 3. Menezes, A., Vanstone, S., Okamoto, T.: Reducing elliptic curve logarithms to logarithms in a finite field. In: STOC 1991: Proceedings of the twenty-third annual ACM symposium on Theory of computing, pp. 80–89. ACM Press, New York (1991)

434

N. El Mrabet and C. Negre

4. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 6. Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007) 7. Gorla, E., Puttmann, C., Shokrollahi, J.: Explicit formulas for efficient multiplication in F36m . In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 173–183. Springer, Heidelberg (2007) 8. Negre, C., Plantard, T.: Efficient modular arithmetic in adapted modular number system using lagrange representation. In: Proceedings of Australasian Conference on Information Security and Privacy (ACISPP 2008) (2008) 9. Bajard, J., Mrabet, N.E.: Pairing in cryptography: an arithmetic point of view. In: Advanced Signal Processing Algorithms, Architectures and Implementations XVI, SPIE (August 2007) 10. ZurGathen, J.V., Gerhard, J.: Modern Computer Algebra. Cambridge University Press, New York (2003) 11. Montgomery, P.L.: Modular multiplication without trial division. Mathematics of Computation 44(170), 519–521 (1985) 12. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. Cryptology ePrint Archive (2006), http://eprint.iacr.org/2006/372 13. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for fr-reduction (2001) 14. Barreto, P., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 15. Cocks, C., Pinch, R.: Identity-based cryptosystems based on the Weil pairing (2001) 16. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs Codes and Cryptography 37(1), 133–141 (2005) 17. Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing brezing-weng pairing friendly elliptic curves using elements in the cyclotomic field. In: Pairing 2008: Proceedings of the 2nd international conference on Pairing-Based Cryptography, pp. 126–135 (2008)

6

Annexe

We present in this section some examples of curves with embedding degree 6 < k ≤ 32 over DFT friendly field. We first briefly recall the method given in [8] to construct an AMNS for a fixed prime p. We choose a polynomial E(t) = t − λ of degree  and compute γ a root of E in Fp . Then we construct the matrix M : ⎡ ⎤ p 0 0 ··· 0 ⎢ −γ 1 0 · · · 0 ⎥ ⎢ ⎥ 2 ⎢ 0 1 ··· 0⎥ M = ⎢ −γ ⎥ ⎢ .. .. ⎥ . . ⎣ . .⎦ . −γ (−1) 0 · · · 0 1

Finite Field Multiplication Combining AMNS and DFT Approach

435

We apply LLL algorithm to this matrix and we obtain a short vector m satisfying m(γ) = 0 mod p. We finally get ρ = 2|λ|m∞ . 6.1

Curves with Embedding Degree k = 12

We use the parametrization of Barreto and Naehrig [14] which provides elliptic curves with embedding degree 12: k = 12, p = 36x4 + 36x3 + 24x2 + 6x + 1, r = 36x4 + 36x3 + 18x2 + 6x + 1, t = 6x2 + 1.

 i We use also the polynomial E(t) = 10 i=0 (−t) to build the AMNS of p. For a security level of 80 (i.e. the best attack requires 280 operations) we find the following example: x = 1099511637026, p = 52614060714492069992659260093542155440429911322253, r = 52614060714492069992659252839987115706863666574197, t = 7253555039733566244748057, γ = 14348622953168487070046731700990451973985348345534, m(X) = 12376 − 49167X + 48460X 2 + 18281X 3 + 15213X 4 − 10299X 5 +11263X 6 − 70120X 7 − 13636X 8 − 18106X 9. For a security level of 160 we found: x = 18446744073709692895, p = 41685152125435107379370057363152675115521120051443074052763868100 45976396949971, r = 41685152125435107379370057363152675115500703109427817432219558905 25925116063821, t = 2041694201525662054430919520051280886151, γ = 3777110808431704610730298619816519741988385386404769931764 1286502190684739139, m(X) = 8053715 − 20923230X + 23417521X 2 − 26826999X 3 + 19243643X 4 +1059907X 5 − 41954237X 6 − 42180723X 7 + 5371359X 8 − 19196965X 9 .

6.2

Curves with Embedding Degree k = 16

We use the parametrization of [17]: k = 16, p = (x10 + 2x9 + 5x8 + 48x6 + 152x5 + 240x4 + 625x2 + 2398x + 3125)/980, r = (x8 + 48x4 + 625)/61250, t = (2x5 + 41x + 35)/35.

436

N. El Mrabet and C. Negre

We use the polynomial E(t) = t16 + 1. For a security level of 80 we found the following example: x = 74156485, p = 5131747716031925180698577911272774150920883965678805953616840478 933959934561, r = 14930934707260179303940284190066288525962852908481890536993, t = 128146760584932038247348983414439772062, γ = 3869682865821773894755186582406048635100954822997767338413 19721386977404674, m(X) = 7400X + 49262X 2 − 3010X 3 − 14335X 4 + 34360X 5 +43021X 6 + 6813X 7 + 5184X 8 + 13206X 9 + 10037X 10 +2540X 11 − 7384X 12 − 66117X 13 − 57557X 14 + 32450X 15 .

For a security level of 160 we found : x = 300650886015, p = 6157420379412900644319875864344339428999761290450062716759615209 367079614301451112752451271493775945297121074689, r = 1089917965628569491882686378264600130698430055744221456154539259 930378582049607058754993, t = 140370029614552009401267496693144064107592433030506438440, γ = 551737151471267013665906013312108810638488413639246814149706 947418249015319821682977158544996914977939922628908, m(X) = 11792 + 15441X − 25387X 2 + 11348X 3 + 20103X 4 + 25605X 5 −8716X 6 + 9091X 7 + 19039X 8 + 13855X 9 − 22021X 10 − 15182X 11 −4543X 12 + 1417X 13 − 26776X 14 + 11502X 15 .

Random Order m-ary Exponentiation Michael Tunstall Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB, United Kingdom [email protected]

Abstract. This paper describes a m-ary exponentiation algorithm where the radix-m digits of an exponent can be treated in a somewhat random order without using any more group operations than a standard right-to-left m-ary exponentiation. This paper demonstrates that the random order countermeasure, commonly used to protect implementations of secret key cryptographic algorithms, can be applied to public key cryptographic algorithms. Keywords: Exponentiation algorithms, random order countermeasure, side channel analysis.

1

Introduction

Implementations of exponentiation algorithms in microprocessors need to be resistant to side channel analysis. For example, it has been demonstrated that a private key used in RSA [21] can be derived by observing a suitable side channel, such as power consumption [15] or electromagnetic emanations [11,20]. These attacks targeted implementations of the square and multiply algorithm, where an exponent is read bit-by-bit and a zero in the exponent results in a squaring operation, whereas a one results in a squaring operation followed by a multiplication. Bits of a private key can be seen directly if these two operations can be distinguished by observing a suitable side channel while an exponentiation is being computed. The first proposed countermeasure was to always compute a squaring operation followed by a (possibly fake) multiplication for each bit of an exponent, referred to as the square and multiply always algorithm [10]. This algorithm has a large impact on the efficiency of the computation of an exponentiation. An alternative was proposed in [9] that proposed efficient algorithms with a fixed structure, i.e. a structure independent to the value of the exponent. A further suggestion was made in [8], where it was proposed that a squaring operation and a multiplication be rendered indistinguishable via a side channel. More complex attacks are proposed in [15], where numerous acquisitions are taken and an attacker attempts to observes a statistical relationship between an observed side channel and an intermediate state. In order to prevent this class of C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 437–451, 2009. c Springer-Verlag Berlin Heidelberg 2009 

438

M. Tunstall

attack individual variables are combined with random values generated for each instantiation of an algorithm [6]. In block ciphers the order in which variables are treated can also be randomised to augment the side channel resistance of an implementation [17]. In this paper an algorithm is proposed that allows an exponentiation to be computed in a random order, although not all orders will occur with with the same probability. This algorithm is intended to allow an exponentiation to be computed without the currently used blinding algorithms. However, the proposed algorithm could also be used to augment the security of an exponentiation implementation, and will inhibit attacks that allow operations to be distinguished from one acquisition. The proposed algorithm requires a large amount of memory. However, some modern smart card chips are using 32-bit architectures and one can expect to have around 4k of RAM available [4,18]. This would allow for the proposed algorithm to be implemented for elliptic curve cryptography, but it is unlikely to be possible for exponentiation in (Z/N Z)∗ . The rest of this paper is organised as follows. In the next section, we review some methods for evaluating an exponentiation. In Section 3 we describe the methods of side channel analysis that could potentially be used to attack an exponentiation. The previously published uses of random values as a countermeasure to side channel analysis is described in Section 4. In Section 5 we detail an exponentiation algorithm where the digits can be treated in a random order. In Section 6 we describe how an attacker would try to derive information by side channel analysis. Finally, we conclude in Section 7.

2 2.1

Exponentiation Algorithms The Square and Multiply Algorithm

The simplest algorithm for computing an exponentiation is the square and multiply algorithm. This is where an exponent is read left-to-right bit-by-bit, a zero results in a squaring operation being performed, and a one results in a squaring operation followed by a multiplication with the original message. This algorithm is detailed in Algorithm 1, where we define the function bit(n, i) as a function returning the i-th bit of n. The input is an element x in a (multiplicatively written) group G and a positive -bit integer n; the output is the element z = xn in G. This algorithm requires two group elements in memory and, on average, 1.5 (log2 n − 1) group operations to compute xn . 2.2

Left-to-Right m-Ary Exponentiation

In order to compute z = xn more efficiently it is possible to use an algorithm that is described in [13]. In this algorithm one precomputes some values that are small powers of x and the exponent is broken up into  words in base m (this is called the m-ary expansion and  is called the m-ary length). Typically, m is

Random Order m-ary Exponentiation

439

Algorithm 1: The Square and Multiply Algorithm Input: x ∈ G, n ≥ 1,  the binary length of n (i.e. 2−1 ≤ n < 2 ) Output: z = xn A←x R←x for i =  − 2 down to 0 do A ← A2 if (bit(n, i)= 0) then A ← A · R end return A

chosen to be equal to 2k , for some convenient value of k, to enable the relevant digits to simply be read from the exponent. The m-ary algorithm is shown in Algorithm 2, where we define the function digit(n, i) as a function returning the i-th radix-m digit of n. This algorithm requires m group elements in memory   and, on average, m + m−1 (log m n − 1)+ m− 2 group operations to compute m xn . Algorithm 2: Left-to-Right m-ary Exponentiation Algorithm Input: x ∈ G, n ≥ 1,  the m-ary length of n Output: z = xn Uses: A, R[i] for i ∈ {1, 2, . . . , m − 1} R[1] ← x for i ← 2 to m − 1 do R[i] ← R[i − 1] · x b ← digit(n,  − 1) A ← R[b] for i =  − 2 down to 0 do A ← Am b ← digit(n, i) if (b = 0) then A ← A · R[b] end return A

2.3

Right-to-Left m-Ary Exponentiation

A right-to-left version of Algorithm 2 was described in [24]. This algorithm is detailed in Algorithm 3, and requires slightly more operations than the leftto-right algorithm. The structure of the algorithm is different as the effect of the value of each digit is not taken into account until the final stage of the algorithm. This algorithm requires   (m − 1) + 1 = m group elements in memory and, on average, m−1 m + m (logm n − 1) + 2m − 3 group operations to compute xn .

440

M. Tunstall

Algorithm 3: Right-to-Left m-ary Exponentiation Input: x ∈ G, n ≥ 1 Output: z = xn Uses: A, R[j] for j ∈ {1, . . . , m − 1} for j = 1 to m − 1 do R[j] ← 1G A←x while (n ≥ m) do d ← n mod m if (d = 0) then R[d] ← R[d] · A A ← Am n ← n/m end R[n] ← R[n] · A A ← R[m − 1] for j = m − 2 down to 1 do R[j] ← R[j] · R[j + 1] A ← A · R[j] end return A

3 3.1

Side Channel Analysis Simple Side Channel Analysis

The most basic form of side channel analysis is to simply inspect one acquisition of a suitable side channel, referred to as Simple Side Channel Analysis (SPA). This involves observing a suitable side channel whilst a computation is taking place. An attacker will then try and make deductions about what calculations are being performed based on these observations. If we consider the square and multiply algorithm, it has been shown that bit values of an exponent can be distinguished by observing a suitable side channel, such as the power consumption [15] or electromagnetic emanations [11,20]. 3.2

Differential Side Channel Analysis

It has been demonstrated that in microprocessors the instantaneous power consumption is typically proportional to the Hamming weight of data being manipulated at a given point in time [5], and the same relationship has been observed in electromagnetic emanations [11,20]. This difference in Hamming weight was first exploited in [15] to attack block ciphers. This was extended in [5] to give a more complete analysis of the power consumption. In this attack, an attacker acquires M power consumption traces (wi for i ∈ {1, 2, . . . , M }) during the computation of a cryptographic algorithm, and chooses one word, b, of an intermediate state generated while the acquisition is taking place. For a given hypothesis for a key value (or portion of the key) K

Random Order m-ary Exponentiation

441

the Hamming weight of b is predicted and the correlation between this value and the instantaneous power consumption is calculated. A significant correlation will confirm the hypotheses, allowing an attacker to derive information on the key. In order to attack an exponentiation, an attacker could use this to confirm hypotheses on an intermediate state of a multiplication at an arbitrary point in the computation to derive portions of the exponent. A significant correlation would indicate that the hypothesised exponent bits are correct.

4

Using Random Values as a Countermeasure

In this section we describe some of the countermeasures that can be used to prevent side channel analysis. We concentrate on countermeasures that are specific to exponentiation algorithms. The interested reader is referred to [16] for a discussion of countermeasures to side channel analysis in more general terms. 4.1

Blinding

The use of random values to modify the behaviour of an exponentiation has taken many different forms. One of the first proposals was to modify all the variables in a modular exponentiation [14]. If we consider the modular exponentiation z = xn mod m, this could be implemented as   n+r ·φ(m) z = (x + r1 · m) 2 mod r3 · m mod m , where r1 , r2 and r3 are random values and φ is Euler’s Totient function. Typically, the bit lengths of r1 , r2 and r3 are chosen to increase x, d and m by one word of the processor computing the exponentiation. The above equation is specific to (Z/N Z)∗ , but equivalent algorithms exist for exponentiation algorithms in other groups (e.g. elliptic curves over Fp and F2q [10]). 4.2

Randomised Algorithms

When implementing block ciphers one would combine masking with a random ordering. For example, if a given function were to be applied to a series of bytes, one would implement the function such that the bytes were treated in some random order. If an attacker were to try and predict a byte value occurring at a given point in time, the prediction would only be correct a small proportion of the time. This has a direct impact on the computed correlation coefficient, discussed in Section 3.2, since an attacker’s prediction will often be incorrect. An equivalent countermeasure for exponentiation algorithms has not previously been proposed in the literature, but other methods of randomising the computation of an exponentiation have been proposed. In this section we review some of these methods.

442

M. Tunstall

Random Digit Sizes A right-to-left m-ary exponentiation algorithm is proposed in [23] where the radix of the digits of the exponent is varied during the computation of an exponentiation. The algorithm proceeds as described in Algorithm 3, but the radix of the digits of the exponent digits is chosen randomly between 2,3 and 5 whenever a new digit is required during the main loop of the algorithm. Overlapping Exponent Digits Another algorithm that modifies the exponent digits every time an exponentiation is computed is presented in [12]. When the exponent digits are read from the exponent the number if bits is extended such that the bits of one digit will overlap with the bits of the neighbouring digits. The digits are modified such that the sum of the effect of the overlapping digits is equivalent to the desired exponent. Given that there are numerous combinations of overlapping digits that are equivalent to the desired exponent, some bits of each digit can be randomly set each time the algorithm is executed.

5

Random Order Exponentiation

In this section we define a right-to-left m-ary exponentiation algorithm, where the radix-m digits of the exponent are treated in a random order. Before the algorithm is defined we demonstrate that, if enough memory is available, the digits of an exponent could be treated in an arbitrary order when using Algorithm 3. Consider the right-to-left m-ary exponentiation algorithm to z = xn . compute −1 i We can write the radix-m expansion of the exponent as n = i=0 di m . Then     i i i i z= xm · x2·m · · · xj·m · · · x(m−1)·m 0≤i≤−1 di =1

=

m−1  j=1

0≤i≤−1 di =2 j

(R[j])

where R[j] =

0≤i≤−1 di =j



0≤i≤−1 di =m−1 i

xm .

0≤i≤−1 di =j

In Algorithm 3, each R[j] for j ∈ {1, . . . m − 1} is computed and then combined in the final loop to raise each R[j] to the power of j and compute the product  j of the results, i.e. j (R[j]) . i

We can note that each R[j] is the product of xm for all i ∈ {0, . . . ,  − 1} i where di is equal to j. This can be computed in any order if all the values xm are known. Therefore, if it would be possible to precompute and store all the group i elements xm , for i ∈ {0, . . . ,  − 1}, they could be multiplied with the relevant R[j] in an arbitrary order. A worked example of this is shown in Appendix A. However, there would need to be enough memory available to store all  group elements.

Random Order m-ary Exponentiation

443

If we consider the bit lengths of variables in exponentiations that would be of i use in cryptography, it is unlikely that all the values of xm , for i ∈ {0, . . . , −1}, could be stored in the memory of a microprocessor. However, if we assume that there is enough memory available to store r group i elements, we can precompute and store xm , for i ∈ {0, . . . , r − 1}. Suppose these are stored in an array 2

S = {x, xm , xm , . . . , xm

r−1

},

and list the first r digits of the exponent as D = {d0 , d1 , d2 , . . . , dr−1 } . If we initialise a set of registers R[i], for i ∈ {1, . . . , m − 1}, to 1G . We can treat the r values held in S and D in some arbitrary order, where, for each j ∈ {0, . . . , r − 1}, we compute R[D[j]] = R[D[j]] · S[j]. The contents of R[i], for i ∈ {1, . . . , m − 1}, will then contain the same group elements one would expect if the standard right-to-left m-ary exponentiation had treated the first r digits of the exponent (see Algorithm 3). One could then assign the next r values that would be required to continue computing the exponentiation to S and D, which then become r r+1 r+2 2r−1 S = {xm , xm , xm , . . . , xm }, and D = {dr , dr+1 , dr+2 , . . . , d2r−1 } . These values could also be treated in some arbitrary order, as for for each j ∈ {0, . . . , r − 1} we compute R[D[j]] = R[D[j]] · S[j]. After which the values held in R[i], for i ∈ {1, . . . , m − 1}, will be the same as if the standard right-to-left m-ary exponentiation has treated the first 2r digits of the exponent. This could be continued until all the digits of the exponent have been treated. However, we can do better by noting that once R[D[j]] = R[D[j]] · S[j] has been computed, for a given j ∈ {0, . . . , r − 1}, then D[j] and S[j] are no longer required by the exponentiation algorithm. These values in memory can be safely overwritten. Consider again the initial state of S and D 2

r−1

S = {x, xm , xm , . . . , xm

} , D = {d0 , d1 , d2 , . . . , dr−1 } .

If we compute R[D[j]] = R[D[j]] · S[j], for some arbitrary j ∈ {0, . . . , r − 1}, we r can replace D[j] with dr and S[j] with xm . If, for example, we take j = 1 then, after computing R[D[1]] = R[D[1]] · S[1], we can replace D[1] and S[1]. That is, r

2

S = {x, xm , xm , . . . , xm

r−1

},

and D = {d0 , dr , d2 , . . . , dr−1 } . This could be repeated for another D[j] and S[j], for some arbitrary r+1 j ∈ {0, . . . , r − 1}, and the j-th values of S and D replaced with xm and

444

M. Tunstall

dr+1 respectively. For an -bit exponent this could be repeated  − r times, at which point one would be unable to include any new digits in D. One could then compute R[D[j]] = R[D[j]] · S[j] for each j ∈ {0, . . . , r − 1} without replacing any of the values in D or S. After which, all of the digits of the exponent, i.e. all di for i ∈ {0, . . . ,  − 1}, will have been treated. A worked example of this process is given in Appendix A. An example of how this could be implemented to produce an exponentiation algorithm where the digits are treated in some random order is shown in Algorithm 4, where we define the function RandomInteger(x, y) as returning a random integer in the interval [x, y]. In order to minimise the number of operations required it is necessary to keep i track of which element of S contains the largest power of x, so that xm can be i−1 computed from xm with a minimum, and constant, number of operations. In Algorithm 4 we use the variable γ as a pointer to the largest power of x present in S. It is interesting to note that this algorithm does not require any more group operations than Algorithm 3 so the performance should remain unaffected. However, this does assume that random values can be generated instantly. The difference in performance between Algorithm 3 and Algorithm 4 will be the time required to generate  − r random values. Algorithm 4 requires significantly more memory than Algorithm 3, as (m − 1) + r + 1 = m + r group elements need to be stored in memory. A further r radix-m digits will also need to be held in memory.

6

Security Analysis

In this section we describe how an attacker would attempt to derive digits of the exponent used in an implementation of Algorithm 4 by side channel analysis. 6.1

Simple Side Channel Analysis

Algorithm 4 is, to a certain extent, vulnerable to Simple Side Channel Analysis. It would be expected that an attacker would be able to detect when zero digits are treated. In order to counter this, the multiplication and squaring operations can be implemented such that they use identical code and, therefore, cannot be distinguished [8]. There are methods of statistically distinguishing a multiplication and a squaring operation based on the design [2] or the distribution of the bits of single-precision operations [3]. It is expected that similar attacks may be possible on a single acquisition using template attacks [7]. If an attacker is able to distinguish multiplications from squaring operations the amount of information available is limited. An attacker would be able to determine the total number of zero digits in an exponent, but only approximately where they are in an exponent. The position of the first zero digit in the exponent could be determined by taking enough acquisitions that it is possible to determine the earliest in an exponentiation that a zero digit is visible in a side

Random Order m-ary Exponentiation

445

Algorithm 4: Random Order Right-to-Left m-ary Exponentiation Input: x ∈ G, n ≥ 1, r number of values to store in memory. Output: z = xn Uses: A, R[j] for j ∈ {1, . . . , m − 1}, D[i] for i ∈ {0, . . . , r − 1}, S[i] for i ∈ {0, . . . , r − 1} for j = 1 to m − 1 do R[j] ← 1G S[0] ← x for i = 1 to r − 1 do S[i] ← S[i − 1]m for i = 0 to r − 1 do D[i] ← n mod m n ← n/m end γ ←r−1 while (n > 0) do τ = RandomInteger(0, r − 1) if D[τ ] = 0 then R[D[τ ]] ← R[D[τ ]] · S[τ ] end S[τ ] ← S[γ]m D[τ ] ← n mod m n ← n/m γ←τ end for i = r − 1 down to 0 do R[D[i]] ← R[D[i]] · S[i] end A ← R[m − 1] for i = m − 2 down to 1 do R[i] ← R[i] · R[i + 1] A ← A · R[i] end return A

channel. However, it is unclear how an attacker would derive further zero digits unless they occur infrequently in an exponent, i.e. an attacker is able to locate the earliest point each zero digit is used during the computation of an exponentiation. This is unlikely to be the case, especially if the number of elements in D and S is of a similar size to the radix of the digits being taken from the exponent, in which case we would expect, statistically, there to be one zero digit in D most of the time. In [19], M¨ oller describes a recoding algorithm for m-ary exponentiation where each digit that is equal to zero is replaced with −m, and the next most significant digit is incremented by one. This leads to an exponent recoded with digits in the set {1, . . . , m−1}∪{−m}. An unsigned version of M¨ oller’s algorithm is described in [22] where the digits are recoded with digits in the set {1, . . . , m}. Where

446

M. Tunstall

each zero digit is replaced with m and the next digit is decremented by one, which removes the need to compute a potentially costly inversion. Both of these algorithms render a subsequent m-ary exponentiation regular, and, therefore, resistant to simple side channel analysis. 6.2

Differential Side Channel Analysis

In order to conduct a side channel attack using differential side channel analysis, an attacker needs to construct hypotheses on data being manipulated at a specific point in time for each acquisition in a set of acquisitions. An attacker can then attempt to confirm these hypotheses by computing the correlation between them and each instant in time of during the acquisitions. In this section we describe how differential side channel analysis could be applied to Algorithm 4. We assume that an attacker has acquired sufficient traces of a side channel to conduct a differential side channel attack, as described in Section 3.2, on Algorithm 4. We also assume that the exponent has been recoded such that the digits are in the set {1, . . . , m}, as described above. If an attacker were to try and conduct an differential side channel attack it would be assumed that the digit treated at the -th round is the ( + r − 1)-th digit of the exponent (counting from the right). This is because at this at this point the ( + r − 1)-th digit will just have been included into the digits from which the algorithm will randomly select a digit to treat and will occur at this point with the highest frequency. This can be seen if we consider that once a digit has been included, it has a probability of 1/r of being used in the next round. It has the same probability of being used in the following round but this can only occur if the digit was not treated in the previous round, so the probability of the digit not being used in the first round but being used in the second round is 1 − 1r 1r . In general, we can say that the probability of a digit being treated θ rounds after being  θ−1 included is 1r 1 − 1r . The highest probability occurs one round after a digit is included when θ = 1. In [5] it is pointed out that if the correlation coefficient of η independent bits amongst δ is calculated, a partial correlation still exists and its size can be predicted as a function of the coefficient that would be generated if all the bits of δ were included. This is given as: η ρη/δ = ρ δ where ρ is the correlation if everything is known and ρη/δ is the predicted partial correlation. This also applies to η intermediate states being correctly predicted out of a total of δ. Therefore, in conducting a side channel attack against a random order

exponentiation the correlation coefficient seen would be reduced to 1/r of the correlation coefficient that would be seen if a non-randomised algorithm were under attack if R is known. This would indicate to an attacker which previously treated digits of the exponent are equal to the ( + r − 1)-th digit.

Random Order m-ary Exponentiation

447

However, the state of R will not be known to an attacker. To conduct a differential side channel attack an attacker would be obliged to form hypotheses on the number and positions of the digits with the same value as the (+r−1)-th digit and therefore predict the state of R. An attacker would then be obliged to generate a correlation trace from the acquired traces for all of the possible values of R. The state of R will be different for each execution since the digits that have not been treated at the -th round will vary from one execution to another. An attacker would, therefore, be obliged to predict the most likely state of R and assume this is the state for every acquisition. This will further reduce the correlation coefficient visible via a differential side channel attack. An attacker can,

therefore, expect to be able to derive a correlation whose size is reduced to 1/r of what one would be able to produce when attacking a na¨ıve implementation in the first round of the algorithm. In subsequent rounds the largest correlation an attacker could hope to produce will diminish rapidly. It is not clear exactly how the correlation will diminish, and it is left as open problem, as to exactly how an attacker would attempt to derive the exponent via differential side channel analysis.

7

Conclusion

In this paper we present a method of computing an exponentiation where radixm digits can be treated in a random order. The algorithm is intended to provide resistance to side channel analysis, and some informal arguments are given as to the side channel analysis resistance of this algorithm. However, we can note that not all the possible orderings of exponent digits will be equally likely. Algorithm 4 will most likely find use as a supplement, rather than as a replacement, to the blinding countermeasure described in Section 4.1. This is because it may be possible to derive the digits used in an m-ary exponentiation from one trace using template attacks [7]. In the example given, d + φ(m) gives a value equivalent to the private key and could be used to start to make attempts at factoring m. If Algorithm 4 were also used, an attacker would have to test all the possible orderings of the exponent to find d+φ(m). This is an advantage over the previously proposed randomised exponentiation algorithms [12,23], described in Section 4.2, that would provide a value equivalent to the exponent if one were able to derive the digits of an exponent from one acquisition. Another advantage over previously proposed countermeasures [12,23], is that the digit size can be chosen such that it evenly divides a computer word. It is, therefore, not necessary to read digits that will have bits on two computer words, which has implications for both security and efficiency. As stated in the introduction, Algorithm 4 requires a large amount of memory, as Algorithm 4 requires m + r group elements to be stored in memory. There are 32-bit secure microprocessors that have enough memory to allow exponentiation in Fp or F2q to be implemented [4,18]. More recently, processors with larger memories are being studied with regard to their side channel resistance [1], on

448

M. Tunstall

which one would be able to implement Algorithm 4 in (Z/N Z)∗ . This is unlikely to be possible on a smart card microprocessor unless a cryptographic coprocessor with a large amount of registers is included. The side channel resistance of the algorithm proposed in this paper is only briefly analysed. There are some open problems that arise from this work. The most obvious question is exactly how one would mount a side channel attack against Algorithm 4. Some brief details are given, but the magnitude of the correlation coefficient one would expect to be able to observe for a given r is not defined. Indeed, it remains to be shown what values of r would provide a suitable level of random ordering. Another question is how one would attack Algorithm 4 if it were combined with other countermeasures. For example, one could easily combine Algorithm 4 with Walter’s MIST algorithm [23] where the radix of the digits read from an exponent is also randomised.

Acknowledgements The author would like to thank Elisabeth Oswald and Dan Page for their helpful comments related to the ideas presented in this paper. The author would also like to thank Steven Galbraith for his help in preparing the final version of this paper. The work described in this paper has been supported in part by the European Commission IST Programme under Contract IST-2002-507932 ECRYPT and EPSRC grant EP/F039638/1 “Investigation of Power Analysis Attacks”.

References 1. Side-channel attack standard evaluation board (SASEBO), http://www.rcis.aist.go.jp/special/SASEBO 2. Akishita, T., Takagi, T.: Power analysis to ECC using differential power between multiplication and squaring. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 151–164. Springer, Heidelberg (2006) 3. Amiel, F., Feix, B., Tunstall, M., Whelan, C., Marnane, W.P.: Distinguishing multiplications from squaring operations. In: SAC 2008. LNCS. Springer, Heidelberg (2008) 4. ARM. SecurCore family, http://www.arm.com/products/CPUs/families/SecurCoreFamily.html 5. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004) 6. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999) 7. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)

Random Order m-ary Exponentiation

449

8. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004) 9. Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Ko¸c, C ¸ .K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300–308. Springer, Heidelberg (2001) 10. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999) 11. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Ko¸c, C ¸ .K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001) 12. Itoh, K., Yajima, J., Takenaka, M., Torii, N.: DPA countermeasures by improving the window method. In: Kaliski Jr., B.S., Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 303–317. Springer, Heidelberg (2003) 13. Knuth, D.E.: The Art of Computer Programming, 2nd edn. Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1981) 14. Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) 15. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) 16. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks — Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007) 17. Messerges, T.S.: Power Analysis Attacks and Countermeasures for Cryptographic Algorithms. PhD thesis, University of Illinois, Chicago (2000) 18. MIPS-Technologies. SmartMIPS ASE, http://www.mips.com/content/Products/ 19. M¨ oller, B.: Securing elliptic curve point multiplication against side-channel attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001) 20. Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): Measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001) 21. Rivest, R., Shamir, A., Adleman, L.M.: Method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978) 22. Vuillaume, C., Okeya, K.: Flexible exponentiation with resistance to side channel attacks. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 268–283. Springer, Heidelberg (2006) 23. Walter, C.D.: MIST: An efficient, randomized exponentiation algorithm for resisting power analysis. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 53–66. Springer, Heidelberg (2002) 24. Yao, A.C.: On the evaluation of powers. SIAM Journal on Computing 5(1), 100–103 (1976)

A

Worked Example

We wish to compute z = xn , where n is set to 738530 (B44E2 in hexadecimal) and the digits will be read from this exponent two bits at a time, i.e. m = 4. The digits and powers of x (variable A) computed in the main loop of Algorithm 3

450

M. Tunstall i

are shown below. If enough memory were available then xm for i ∈ {0, . . . , 9} could all be precomputed. Then we can set S = {x, x4 , x16 , x64 , x256 , x1024 , x4096 , x16384 , x65536 , x262144 } , and D = {2, 0, 2, 3, 0, 1, 0, 1, 3, 2} . The exponentiation can be computed by treating the elements of S and D in an arbitrary order. We initially set R[j] for j ∈ {1, 2, 3} to 1G . An arbitrary j ∈ {0, . . . , 9} is chosen, and we compute R[D[j]] = R[D[j]] · S[j] except when D[j] is equal to zero when no operation is performed. This is repeated once for each possible value of j, which will result in: R[1] = S[5] · S[7] = x1024 x16384 = x17408 R[2] = S[0] · S[2] · S[9] = x x16 x262144 = x262161 R[3] = S[3] · S[8] = x64 x65536 = x65600 where z = R[1] · R[2]2 · R[3]3 = x17408 x2·262161 x3·65600 = x738530 , which is computed by the final loop in Algorithm 3. If the above computation of z = xn were conducted using Algorithm 4, where we set r = 6 so that there is only enough memory to store six group elements in i S. The initial values in memory would be xm for i ∈ {0, . . . , 5}, i.e. S = {x, x4 , x16 , x64 , x256 , x1024 } , and the corresponding digits of the exponent would be D = {2, 0, 2, 3, 0, 1} . Again, initially set R[j] for j ∈ {1, 2, 3} to 1G . An arbitrary j ∈ {0, . . . , 5} is chosen, and we compute R[D[j]] = R[D[j]] · S[j]. As above, all R[j] for j ∈ {1, 2, 3} are initialised to 1G . We will take j = 3 which give S[3] = x64 and D[3] = 3, and we compute R[3] = R[3] · x64 . The values in S[3] and D[3] are no 7 longer required and can be replaced. We, therefore set S[3] = xm = x4096 and D[3] = 0. The values contained in memory would then be S = {x, x4 , x16 , x4096 , x256 , x1024 } , and D = {2, 0, 2, 0, 0, 1} . Another arbitrary j ∈ {0, . . . , 5} can then be selected. We will take j = 0, which will mean we will compute R[2] = R[2] · x. After which S[0] and D[0] can be 8 replaced with xm and 1 respectively, giving S = {x16384 , x4 , x16 , x2048 , x256 , x1024 } ,

Random Order m-ary Exponentiation

451

and D = {1, 0, 2, 0, 0, 1} . Next, we take j = 4. D[4] is equal to zero, so no operation is conducted with 9 S[4], and these elements can be replaced with 3 and xm , giving S = {x16384 , x4 , x16 , x4096 , x65536 , x1024 } , and D = {1, 0, 2, 0, 3, 1} . We now take j = 1. Again, the chosen digit, D[1], is equal to zero and no 10 operation takes place. S[1] and D[1] can be replaced with xm and the last digit of the exponent, giving S = {x16384 , x262144 , x16 , x4096 , x65536 , x1024 } , and D = {1, 2, 2, 0, 3, 1} . There are now no remaining digits that could be D, so there is no further need to select digits to be replaced. The remaining digits can be treated, where for each j ∈ {0, . . . , 5} we compute R[D[j]] = R[D[j]] · S[j] except when D[j] is equal to zero when no operation is performed. This can be performed in an arbitrary order and will result in: R[1] = S[7] · S[5] = x16384 x1024 = x17408 R[2] = S[0] · S[9] · S[2] = x x262144 x16 = x262161 R[3] = S[3] · S[8] = x64 x65536 = x65600 i

This is exactly the same result as given where all the xm for i ∈ {0, . . . , 9} i are precomputed. The only difference being the order in which the xm , for i ∈ {1, . . . , 10}, are multiplied together. The final stage is the same as described above, since z = R[1] · R[2]2 · R[3]3 = x17408 x2·262161 x3·65600 = x738530 .

Jacobi Quartic Curves Revisited Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson Information Security Institute, Queensland University of Technology, QLD, 4000, Australia {h.hisil,kk.wong,g.carter,e.dawson}@qut.edu.au

Abstract. This paper provides new results about efficient arithmetic on Jacobi quartic form elliptic curves, y 2 = dx4 + 2ax2 + 1. With recent bandwidth-efficient proposals, the arithmetic on Jacobi quartic curves became solidly faster than that of Weierstrass curves. These proposals use up to 7 coordinates to represent a single point. However, fast scalar multiplication algorithms based on windowing techniques, precompute and store several points which require more space than what it takes with 3 coordinates. Also note that some of these proposals require d = 1 for full speed. Unfortunately, elliptic curves having 2-times-a-prime number of points, cannot be written in Jacobi quartic form if d = 1. Even worse the contemporary formulae may fail to output correct coordinates for some inputs. This paper provides improved speeds using fewer coordinates without causing the above mentioned problems. For instance, our proposed point doubling algorithm takes only 2 multiplications, 5 squarings, and no multiplication with curve constants when d is arbitrary and a = ±1/2. Keywords: Efficient elliptic curve arithmetic, point multiplication, Jacobi model of elliptic curves.

1

Introduction

Cryptology as a computational science has been a driving force behind the arithmetic of elliptic curves in the past few decades. The demand for more speed led researchers to propose new formulae/algorithms/point-representations for several different elliptic curve models. However, the speed limitation for performing arithmetic on elliptic curves —like many other computational problems— is still an open question. The historical roots of the topic dates back to late 18th and early 19th century: the time of Euler, Abel and Jacobi. An outline of the previous work restricted to the efficient arithmetic on Jacobi quartic curves is as follows. Chudnovsky and Chudnovsky [8] introduced the first inversion-free algorithms for performing group operations using a weighted projective point representation. Billet and Joye [2] used Jacobi quartic curves for protection against side-channel attacks with a point addition speed record for that time of 10M+3S+1D. In this paper, M stands for a field multiplication; S for a field squaring; D for a multiplication by a curve constant; I for a field inversion. This notation is borrowed from C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 452–468, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Jacobi Quartic Curves Revisited

453

[6]. Duquesne [11] improved this operation count by 1M + 1S with a variant of Billet/Joye unified point addition algorithm. Duquesne’s method converts the base point in weighted projective coordinates to a new point representation with 4 coordinates, performs the scalar multiplication within the new coordinate system, and outputs the final result in original weighted projective coordinates. Duquesne’s improvement was followed by additional results in [5], [17], and [18]. However, the latter proposals tend to use more space —up to 7 coordinates per point— despite their speed advantage. Further disadvantages have already been mentioned in the abstract. We will extend our discussion on these aspects in §2. In this paper, we carefully optimize the arithmetic of Jacobi quartic curves targeting more efficient scalar multiplication operations. Our proposal performs faster and uses less space than [11], [5], [17], and [18]. The paper is organized as follows. A review of Jacobi quartic curves is given in §2. Efficient algorithms/formulae/point-representations are introduced in §3, §4, and §5. Implementation timings are given in §6. We draw our conclusions in §7.

2

Background

This section gives definitions for Jacobi quartic curves. Some of the results involved in this section are analogous to our earlier work [19]. Let K be a field with char(K) = 2. A Jacobi quartic form elliptic curve over K is defined by EJ,d,a : y 2 = dx4 + 2ax2 + 1 where a, d ∈ K with Δ = 256d(a2 − d)2 = 0. The j-invariant of this curve is given by 64d−1 (a2 − d)−2 (a2 + 3d)3 ∈ K. Billet and Joye remark in [2] that any elliptic curve, E/K, can be written as EJ,d,a /K if E(K) has an element of order 2 and provide the transformations between a Weierstrass elliptic curve y 2 = x3 +ax+b of even order and a projective Jacobi quartic curve. We first review the most popular addition formulae. Let (x1 , y1 ), (x2 , y2 ) ∈ EJ,d,a (K). Assuming that (x3 , y3 ) is defined we have (x1 , y1 )+ (x2 , y2 ) = (x3 , y3 ) where x3 =

x 1 y2 + y 1 x 2 , 1 − dx21 x22

(1)

y3 =

(y1 y2 + 2ax1 x2 )(1 + dx21 x22 ) + 2dx1 x2 (x21 + x22 ) . (1 − dx21 x22 )2

(2)

Formula (1) appears in one of Euler’s historical works [13]. Formula (2) is adapted from [2]. With this selection of the algebraic expressions, the identity element becomes the point (0, 1). The negative of a point (x, y) is (−x, y). The point (0, −1) is of order 2. EJ,d,a is non-singular provided that Δ = 0. On the other hand, there is a singular point at infinity —denoted by (0 : 1 : 0)— in the projective closure of EJ,d,a if and only if d is a square in K. Resolving this singularity yields two more points of order 2 (both are written as (0 : 1 : 0)).

454

H. Hisil et al.

The following lemma shows that formulae (1) and (2) are complete if d is not a square in K. The term complete is used to emphasize that addition formulae are defined for all inputs, see [6]. Lemma 1. Let d, x1 , x2 ∈ K. Assume that d is non-square. Then dx21 x22 = 1. Proof. Suppose that dx21 x22 = 1. So d, x1 , x2 = 0. But then d = (1/(x1 x2 ))2 .

 

Lemma 1 is similar to Theorem 3.3 of [6]. In the case of Jacobi quartic form, the statement of the lemma and its proof is shorter. We can prevent dx21 x22 = 1 even if d is a square in K. Lemma 2 states a sufficient condition. This lemma and its proof are similar to Corollary 1 in [19]. Lemma 2. Let a, d, x1 , y1 , x2 , y2 ∈ K such that d(a2 − d) = 0. Assume that P = (x1 , y1 ) and Q = (x2 , y2 ) are points of odd order on EJ,d,a . Then 1 − dx21 x22 = 0. We provide a proof in Appendix A. By elementary group theory, multiplying a point of even order with some power of 2 yields a point of odd order. More formulae. Jacobi elliptic functions give rise to many addition formulae, cf. [24], [8], and [2]. The original reference is [20]. The following formulae are congruent via the algebraic relations sn(·)2 +cn(·)2 = 1 and k 2 sn(·)2 +dn(·)2 = 1. sn(u1 + u2 ) = =

sn(u1 )cn(u2 )dn(u2 ) + cn(u1 )dn(u1 )sn(u2 ) 1 − k2 sn(u1 )2 sn(u2 )2

(3)

sn(u1 )2 − sn(u2 )2 . sn(u1 )cn(u2 )dn(u2 ) − cn(u1 )dn(u1 )sn(u2 )

(4)

To see the congruence, either take the arithmetic cross product and write sn(u1 )2 cn(u2 )2 dn(u2 )2 − cn(u1 )2 dn(u1 )2 sn(u2 )2 = (sn(u1 )2 − sn(u2 )2 )(1 − k2 sn(u1 )2 sn(u2 )2 )

—the rest follows when cn(·) is replaced with 1 − sn(·)2 and dn(·) is replaced with 1 − k 2 sn(·)— or simply run the Maple script > simplify(expand( JacobiSN(u1 + u2, k) - ( (JacobiSN(u1, k)*JacobiCN(u2, k)*JacobiDN(u2, k) + JacobiSN(u2, k)*JacobiCN(u1, k)*JacobiDN(u1, k))/ (1 - k^2*JacobiSN(u1, k)^2*JacobiSN(u2, k)^2)))); 0

Formula (3) is analogous to (1) as pointed out in [2] via the relation (xi , yi ) = (sn(ui ), cn(ui )dn(ui )). Similarly, the analog of (4) is given by x3 =

x21 − x22 . x1 y2 − y1 x2

(5)

This formula is not defined if (x1 , y1 ) = (x2 , y2 ). This formula is independent of a and d. There are several other ways to derive (5). For instance, one may use

Jacobi Quartic Curves Revisited

455

the strategy applied in [19] for the derivation of dedicated addition formulae on twisted Edwards curves. Formula (5) is of minimal total degree. Therefore, the Monagan/Pearce minimal total degree algorithm in [23] can be used to derive this same formula (or maybe an alternative formula of same total degree if there exists one) departing from (1) or any other valid formula. Lemma 2 can be rewritten for (5). The proof is similar to the proof of Lemma 2. Lemma 3. Let a, d, x1 , y1 , x2 , y2 ∈ K such that d(a2 − d) = 0. Assume that P = (x1 , y1 ) and Q = (x2 , y2 ) are points of odd order on EJ,d,a . Assume that P = Q. Then x1 y2 − y1 x2 = 0. The choices for computing y3 are abundant. For instance, each of the following formulae computes y3 (except for a few exceptional inputs): (x21 + x22 )(y1 y2 − 2ax1 x2 ) − 2x1 x2 (1 + dx21 x22 ) , (x1 y2 − y1 x2 )2 (x1 y2 − y1 x2 )(y1 y2 + 2ax1 x2 ) + 2(x2 y2 − x1 y1 ) y3 = , (x1 y2 − y1 x2 )(1 − dx21 x22 ) y3 =

y3 =

x1 y1 (2 + 2ax21 − y12 ) − x2 y2 (2 + 2ax22 − y22 ) . (x1 y2 − y1 x2 )(1 − dx21 x22 )

(6) (7) (8)

Relevant Work. Efficient implementations often use inversion-free point doubling and point addition formulae. To the best of our knowledge all such proposals for Jacobi quartic curves reference from weighted projective coordinates which represent the points as (X : Y : Z)[1,2,1] = (λX : λ2 Y : λZ) for all nonzero λ ∈ K. Chudnovsky and Chudnovsky [8] proposed two inversion-free point addition and two inversion-free point doubling formulae using a slightly different quartic equation given by EJ˜,a ,b : y 2 = x4 + a x2 + b and using weighted projective coordinates. The formulae in [8, (4.10) on p.418] are analogous to (5) with the minor detail that the identity element is moved to one of two points at infinity. The arithmetic of this curve is similar to that of EJ,a,b due to the symmetry in the right hand side of the weighted projective equations Y 2 = X 4 + a X 2 Z 2 + b Z 4 and Y 2 = dX 4 + 2aX 2 Z 2 + Z 4 . Billet and Joye [2] proposed a faster inversion-free unified addition algorithm using (1) and (2). The term unified is used to emphasize that point addition formulae remain valid when two input points are identical, see [10, §29.1.2]. By Lemma 2, the Billet/Joye algorithm is complete if d is not a square in K and needs 10M + 3S + 1D. We remark that no faster way of inversion-free general point addition is known to date in (X : Y : Z)[1,2,1] coordinates. It remains an open question whether it is possible to speed up the addition in weighted (X : Y : Z)[1,2,1] coordinates. Nevertheless, the speed of the Billet/Joye algorithm was improved by Duquesne in [11] with the proposal of (X 2 : XZ : Z 2 : Y ) coordinates. Duquesne’s variant addition algorithm needs 9M + 2S + 1D saving 1M + 1S over the Billet/Joye algorithm by using slightly more space to

456

H. Hisil et al.

represent the points. Bernstein and Lange [5] extended this representation to (X : Y : Z : X 2 : 2XZ : Z 2 ) and (X : Y : Z : X 2 : 2XZ : Z 2 : X 2 + Z 2 ) saving an extra M − S (i.e. M-S trade-off) over Duquesne’s algorithm. A more detailed overview of these algorithms and operation counts can be found in the original papers or in the Explicit-Formulas Database (EFD) [5] which also reports 1M + 9S + 1D doubling algorithm by Bernstein/Lange, 2M + 6S + 2D doubling algorithm by Hisil/Carter/Dawson, and 2M + 6S + 1D doubling algorithm by Feng/Wu in (X : Y : Z)[1,2,1] . Duquesne coordinates (X 2 : XZ : Z 2 : Y )[2,2,2,2] use less space than redundant coordinates but need special treatment in the scalar multiplication to obtain the original coordinates (X : Y : Z)[1,2,1] of the final result. The original representation as (X : Y : Z)[1,2,1] in [2] uses even less space however this representation has to date been slower than the redundant coordinates. Hisil, Wong, Carter, and Dawson [17] introduced new point doubling formulae together with a fast point doubling algorithm costing only 3M + 4S in (X : Y : Z : X 2 : Z 2 ) if d = 1. Roughly at the same time essentially the same formulae were independently derived by Feng and Wu, see EFD [5]. These formulae were adapted to (X : Y : Z : X 2 : 2XZ : Z 2 ) coordinates with the same operation count in EFD. Later Hisil, Wong, Carter, and Dawson [18] introduced (for the case d = 1) new unified addition formulae which use 7M + 3S + 1D in (X : Y : Z : X 2 : Z 2 : XZ) and 7M + 4S + 1D in (X : Y : Z : X 2 : Z 2 ) and newer doubling formulae which need 2M + 5S + 1D in (X : Y : Z : X 2 : Z 2 ) and (X : Y : Z : X 2 : Z 2 : XZ). The redundant representations such as (X : Y : Z : X 2 : 2XZ : Z 2 : X 2 + Z 2 )[1,2,1,2,2,2,2] , (X : Y : Z : X 2 : 2XZ : Z 2 )[1,2,1,2,2,2] , (X : Y : Z : X 2 : Z 2 : X 2 + Z 2 )[1,2,1,2,2,2] , (X : Y : Z : X 2 : Z 2 )[1,2,1,2,2] , (X : Y : Z : X 2 : Z 2 : XZ)[1,2,1,2,2,2] help in the development of faster algorithms for performing point operations and their overall performance only slightly differs from each other. However, they all share one serious drawback. They need more space for storing the points in comparison to earlier proposals. Despite the speed advantage of these coordinate systems, the large space requirement makes the practical use of Jacobi quartic curves questionable since windowing techniques in scalar multiplication algorithms precompute and store several points. We aim to solve this disadvantage in subsequent sections. Furthermore we propose a faster doubling algorithms. Even more formulae. All of the affine formulae given in this section involve inversions in K. In cryptographic applications K is finite and computing inverses in a finite field can be very costly in comparison to the multiplication and addition operations. In §3 and §4 we will introduce inversion-free formulae which are simply derived by the adaptation of affine formulae to a suitable projective point representation. However, formulae given so far do not necessarily lead to

Jacobi Quartic Curves Revisited

457

the fastest inversion free algorithms to perform the basic operations; point doubling and point addition. Therefore we propose new affine point doubling and point addition formulae to assist following sections. Let (x1 , y1 ) ∈ EJ,d,a (K). Assuming that (x3 , y3 ) is defined we have 2(x1 , y1 ) = (x3 , y3 ) where x3 = µx1 , y3 = µ(µ − y1 ) − 1

(9) (10)

2y1 /(2 + 2ax21 − y12 ).

with μ = In the derivations of (9) and (10) we were inspired by the results in [6] and [18]. If d is a square in K then these point doubling formulae work for all inputs i.e. (x3 , y3 ) is defined for all inputs. If d is a square in K then there exist two points at infinity of order two. The double of these points is (0, 1). If (2 + 2ax21 − y12 ) = 0 then (x1 , y1 ) is a point of order 4 and the output is a point at infinity. Further let (x2 , y2 ) ∈ EJ,d,a (K). Assuming that (x3 , y3 ) is defined we have (x1 , y1 ) + (x2 , y2 ) = (x3 , y3 ) where x3 is defined as in (5) and y3 =

 (x1 − x2 )2  y1 y2 − 2ax1 x2 + 1 + dx21 x22 − 1. 2 (x1 y2 − y1 x2 )

(11)

In addition, if s ∈ K such that d = s2 then we can also write y3 =

(1 + sx1 x2 )2 (y1 y2 + 2ax1 x2 + sx21 + sx22 ) − sx23 (1 − dx21 x22 )2

(12)

where x3 is given by (1). Formulae (11) and (12) compute the same result as (2), (6), (7), and (8). Formula (12) is defined if (x1 , y1 ) = (x2 , y2 ). Formula (11) is not defined if (x1 , y1 ) = (x2 , y2 ). Both formulae are incomplete, i.e. (x3 , y3 ) is not defined for a few special inputs.

3

Homogeneous Projective Coordinates, Q

Projective coordinates are used as basic tools in designing inversion-free algorithms to carry out group arithmetic on elliptic curves. In the case of Jacobi quartic curves, we consider homogenous projective coordinates (X : Y : Z)[1,1,1] for efficiency purposes for the first time. From now on we omit the informative subscript [1, 1, 1] for these coordinates. In homogeneous projective coordinates each point (x, y) is represented by the triplet (X : Y : Z) which satisfies the projective equation Y 2 Z 2 = dX 4 +2aX 2Z 2 + Z 4 and corresponds to the affine point (X/Z, Y /Z) with Z = 0. The identity element is represented by (0 : 1 : 1). The negative of (X : Y : Z) is (−X : Y : Z). In the following subsection, we provide efficient point doubling formulae. 3.1

Point Doubling in Q

We remark that the fastest-so-far three-coordinate point doubling algorithm in [5, dbl-2007-fw-2] costs 2M+ 6S+ 1D in (X : Y : Z)[1,2,1] . We also remark that this algorithm assumes d = 1.

458

H. Hisil et al.

In this section we introduce new efficient doubling formulae. Given (X1 : Y1 : Z1 ) with Z1 = 0 the point doubling can be performed as 2(X1 : Y1 : Z1 ) = (X3 : Y3 : Z3 ) where X3 = 2X1 Y1 (2Z12 + 2aX12 − Y12 ),

Y3 = 2Y12 (Y12 − 2aX12 ) − (2Z12 + 2aX12 − Y12 )2 , Z3 = (2Z12 + 2aX12 − Y12 )2 . (13)

We obtained these formulae from (9). With these formulae a point doubling takes 2M + 5S + 1D where 1D is multiplication with a. These formulae do not depend on d. Therefore keeping d arbitrary has no effect on the cost of (13). If a = ± − 1/2 then a point doubling takes 2M + 5S. Note √ √ 2a can be rescaled to −1 via the map (x, y)  → (x/ −2a, y) provided that −2a ∈ K. This map transforms the curve y 2 = dx4 + 2ax2 + 1 to y 2 = (d/(4a2 ))x4 − x2 + 1. Alternatively, a curve having a = −1/2 can be selected without rescaling. We comment that similar arguments apply to the case a = 1/2. For justifications and more on operation counts see DBL-Q-x in the Appendix B. The proposed algorithm(s) are faster than other three-coordinate point doubling algorithms for Jacobi quartic curves. 3.2

Point Addition in Q

It would be convenient to give an efficient point addition algorithm for the projective coordinates. However, the fastest point addition algorithms that we could design were quite uncompetitive in comparison to the previous proposals in other coordinate systems. Therefore, we leave this as an open question. As a remedy to this, we will introduce fast point addition algorithms on a new coordinate system in the next section and show that the new point addition algorithms can be efficiently combined with the fast doubling algorithms from §3.1.

4

Extended Homogeneous Projective Coordinates, Qe

Jacobi quartic curves not only have a rich body of formulae but also allow us to use various efficient point representations. We have already given a detailed review in §2. This section introduces a new representation of points on Jacobi quartic curves and provides efficient algorithms to perform group operations on Jacobi quartic form elliptic curves. Some of the results in this section are analogous to our earlier work [19]. In the new system a point (x, y) ∈ EJ,d,a (K) is represented by (X : Y : T : Z) where T = X 2 /Z and (X : Y : T : Z)[1,1,1,1] = (λX : λY : λT : λZ) = (x : y : x2 : 1) for all nonzero λ ∈ K. From now on we omit the informative subscript [1, 1, 1, 1] for these coordinates. Each quadruplet (X : Y : T : Z) simultaneously satisfy the homogeneous projective equations  X2 − T Z = 0 (14) Y 2 − dT 2 − 2aX 2 − Z 2 = 0

Jacobi Quartic Curves Revisited

459

or simply the homogeneous projective equation Y 2 Z 2 = dX 4 + 2aX 2 Z 2 + Z 4

(15)

where T is omitted in the latter case. A point representation (X : Y : Z) satisfying (15) can be converted to the new coordinates by computing (XZ : Y Z : X 2 : Z 2 ) with Z = 0 in 1M + 3S. This coordinate system will be denoted by Qe in the rest of the paper. The identity element is represented by the quadruplet (0 : 1 : 0 : 1). The negative of (X : Y : T : Z) is (−X : Y : T : Z). 4.1

Dedicated Point Doubling in Qe

Given (X1 : Y1 : T1 : Z1 ) with Z1 = 0 satisfying (15), point doubling can be performed as 2(X1 : Y1 : T1 : Z1 ) = (X3 : Y3 : T3 : Z3 ) where X3 , Y3 , and Z3 are the same as (13) and T3 = (2X1 Y1 )2 .

(16)

If a = −1/2 then the operations can be performed with a 0M + 8S algorithm. Again the formulae do not depend on d. Therefore keeping d arbitrary has no effect on the cost of (13). There are many M/S trade-offs possible for doubling in Qe when a is arbitrary or when a = −1/2. For justifications and more on operation counts see DBL-Qe-x in Appendix B. In §5, we will mix Qe with Q to benefit from faster doubling algorithms proposed in §3.1. In §5, we will use point doubling from this section to develop a double-and-add algorithm. 4.2

Dedicated Point Addition in Qe

Given (X1 : Y1 : T1 : Z1 ) and (X2 : Y2 : T2 : Z2 ) with Z1 = 0 and Z2 = 0 and (X1 : Y1 : T1 : Z1 ) = (X2 : Y2 : T2 : Z2 ), a dedicated addition can be performed as (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ) = (X3 : Y3 : T3 : Z3 ) where X3 = (X1 Y2 − Y1 X2 )(T1 Z2 − Z1 T2 ), Y3 = (Y1 Y2 − 2aX1 X2 )(T1 Z2 + Z1 T2 ) − 2X1 X2 (Z1 Z2 + dT1 T2 ), T3 = (T1 Z2 − Z1 T2 )2 , Z3 = (X1 Y2 − Y1 X2 )2 . (17)

We derived these formulae using (5) and (6) in §2. Without any assumptions on the curve constants, Y3 can alternatively be written as   Y3 = (T1 Z2 + Z1 T2 − 2X1 X2 ) Y1 Y2 − 2aX1 X2 + Z1 Z2 + dT1 T2 − Z3 .

(18)

We obtained these formulae from (11). If a = −1/2 then the dedicated addition costs 7M+3S+2D with the use of (18). For justifications and more on operation counts see ADD-Qe-x in Appendix B.

460

4.3

H. Hisil et al.

Unified Point Addition in Qe

Given (X1 : Y1 : T1 : Z1 ) and (X2 : Y2 : T2 : Z2 ) with Z1 = 0 and Z2 = 0, a unified addition can be performed as (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ) = (X3 : Y3 : T3 : Z3 ) where X3 = (X1 Y2 + Y1 X2 )(Z1 Z2 − d T1 T2 ), Y3 = (Y1 Y2 + 2aX1 X2 )(Z1 Z2 + d T1 T2 ) + 2dX1 X2 (T1 Z2 + Z1 T2 ), T3 = (X1 Y2 + Y1 X2 )2 , Z3 = (Z1 Z2 − d T1 T2 )2 . (19)

These formulae are analogous to (1) and (2) hence complete1 by Lemma 1 if d is not a square in K. Let s ∈ K such that d = s2 . Alternatively, we can write Y3 = (Z1 Z2 + dT1 T2 + 2sX1 X2 )(Y1 Y2 + 2aX1 X2 + sT1 Z2 + sZ1 T2 ) − sT3 . (20)

We obtained this formula from (12) and following the derivation notes in [18, §2.1]. In this case, the addition is still unified. However, the completeness is lost. Nevertheless, logical checks can be eliminated if the inputs are selected as indicated in Lemma 2. As indicated before these algorithms do not strictly require d = 1. For justifications and more on operation counts see UADD-Qe-x in Appendix B. The new representation is solidly faster than the representation in [2]. The new representation can be equally fast as (or even faster than) the representation [11]. The special treatment in [11] for obtaining the original coordinates is also removed since (X3 : Y3 : T3 : Z3 ) satisfies the homogeneous projective Jacobi quartic curve. The new representation can be equally fast as the representations in [5], [17], and [18]. However this is achieved by using only 4 coordinates rather than 5, 6, or 7 coordinates.

5

Mixed Homogeneous Projective Coordinates, Q + Qe

The construction in this section is the same as [19, §4.3] and is closely linked with [9]. Therefore, we only give a brief outline of the technique. The details can be extracted from the original papers. Most of the efficient scalar multiplication implementations are based on a suitable combination of signed integer recoding (such as NAF, MOF), fast precomputation and left-to-right sliding fractional-windowing techniques. The resulting algorithm is doubling intensive. Roughly for each bit of the scalar one doubling is performed. Additions are accessed less frequently. Excluding the additions used in the precomputation phase, approximately l/(w + 1) additions are needed where l is the number of bits in the scalar and w is the window length. w is used to control space consumption and optimize the total running time. 1

If d is not a square in K then the point (0 : 1 : 0) is not defined over K and should be omitted though it seems to satisfy the curve equation (15).

Jacobi Quartic Curves Revisited

461

An abstract view of the scalar multiplication is composed of several repeateddoublings each followed by a single addition. In our specific case, these operations are performed in the following way: (i) If a point doubling is followed by another point doubling, use Q ← 2Q. (ii) If a point doubling is followed by a point addition, use 1. Qe ← 2Q for the point doubling step; followed by, 2. Q ← Qe + Qe for the point addition step. Suppose that a repeated-doubling phase is composed of m doublings. In (i), m−1 successive doublings in Q are performed with the fastest DBL-Q-x algorithm explained in §3.1 and given in Appendix B. In (ii), the remaining doubling is merged with the single addition phase to yield a combined double-and-add step; a similar approach to [12]. To perform the double-and-add operation we first compute the doubling step with the fastest DBL-QtoQe-x algorithm explained in §4.1 and given in Appendix B. This algorithm is suitable to compute Qe ← 2Q since the inputs are only composed of the coordinates X, Y , Z and the output is still produced in Qe . We then perform the addition in Qe using ADD-Qe-2 which is explained in §4.2 and given in Appendix B but output only the coordinates of Q. Note that the last operation of ADD-Qe-2 (i.e. T3 ← T32 ) can be confidently removed to save 1S since the result is in Q (not Qe ). If we use DBL-Q-1 for repeated doubling operations and a combination of DBL-QtoQe-1 and ADD-Qe-2 for double-and-add operations then we need only 2M + 5S for each doubling and we effectively need ((8S) + (8M + 2S + 2D − 1S)) − (2M + 5S) = 6M + 4S + 2D for each addition step. We should note that the precomputed points are kept in Qe which is composed of 4 coordinates rather than 3. On the other hand, we do not need 5, 6, or 7 coordinates as is the case in [5], [17], and [18]. By lemma 3, all logical checks to handle exceptional inputs can be eliminated if the base point is of odd order.

6

Experimental Results

This section provides implementation timings for single-variable-point-singlevariable-scalar elliptic curve scalar multiplication. We have used a single core of Intel Core 2 Duo (E6550) processor in our experimentations. Finite field operations. Following the implementation notes from [15] and [14], we have written a hand-crafted finite field layer using x86-64 instruction set and GCC extended inline assembly. We have designed our field arithmetic layer to serve for fields Fp where p is of the form 2256 − c such that c is smaller than or equal to 64 bits. In our experimentations we have fixed c = 587. Elliptic curve operations. We have selected Q-DBL-2 as the doubling algorithm and a combination of Q-DBL-2 and Qe-ADD-2 as the double-and-add algorithm. This decision is due to the fact that the cost of additions is not so negligible in 64 bit applications. This was previously discussed in [15].

462

H. Hisil et al.

Scalar multiplication algorithm. We have implemented Algorithm 3.38 in [16] by modifying Steps 4.3 and Steps 4.4 as we discussed in §5. Integer recoding. We have used Avanzi’s w-LtoR integer recoding algorithm [1]. We have determined w = 5 to be the optimal window length in our implementation. We have not incorporated fractional windowing techniques [22] to our implementation following the comments in [14]. Lookup table. To accommodate the 5-LtoR technique 3P, 5P, . . . , 15P are precomputed by the sequence of operations 2P, 2P + P, 2P + 3P, . . . , 2P + 13P . A new precomputation strategy in [21] is of interest for implementation. We have not implemented this approach yet. In our implementation I/M ≈ 121. Therefore we have not normalized the precomputed values following the analysis [3]. Also following the same reference, we have derived and implemented double and add algorithms in Qe with Z = 1. These special operations save time in the precomputation. Table 1 summarizes measured average clock cycles for primitive operations for a single-variable-point-single-variable-scalar multiplication on EJ,−1/2,d for some fixed d. Table 1. 256-bit scalar multiplication on Intel Core 2 Duo (E6550) Operation

Cycles

Precomputation Main loop Normalization

17,000 345,000 14,000

Total

376,000

We should warn the reader that we have detected these cycle counts with our local benchmarking tools. Unfortunately, we have not yet integrated our implementation to the commonly accepted toolkit SUPERCOP, a benchmarking framework within eBACS, the benchmarking project of ECRYPT II [4]. Therefore we do not claim verifiability at this stage. We should also warn the reader that our implementation is a variable-singlepoint-variable-single-scalar multiplication. In the case where the base point is fixed the timings can be dramatically improved by using Algorithm 3.44 or Algorithm 3.45 in [16]. Indeed such an approach was used in [14] for Diffie-Hellman key pair generation where the base point is fixed. Note also that our implementation does not incorporate the Galbraith-Lin-Scott (GLS) homomorphism [14] which has been recently shown to yield faster results. In our implementation, a scalar multiplication on EJ,−1/2,d takes approximately 1162M + 1110S + 102D. In addition, there are approximately 1796 calls to faster field operations (such as addition, subtraction, division by 2, etc.). As the comparative part of our work, we have also covered Weierstrass (a = −3) and twisted Edwards (a = −1) curves in our implementation. For the twisted Edwards implementation we have followed [19, §4.3]. We have used doubling

Jacobi Quartic Curves Revisited

463

formulae from [7]. For the Weierstrass implementation we have collected the most efficient formulae from EFD [5]. In our implementation, a scalar multiplication on the Weierstrass curve y 2 = x3 − 3x + b for some fixed b with w = 5 — optimum— takes approximately 1598M + 1156S + 0D. In addition, there are approximately 2896 calls to faster field operations (such as addition, subtraction, division by 2, etc.). In our implementation, a scalar multiplication on the twisted Edwards curve −x2 + y 2 = 1 + dx2 y 2 for some fixed d with w = 6 —optimum— takes approximately 1202M + 969S + 0D. In addition, there are approximately 2025 calls to faster field operations (such as addition, subtraction, division by 2, etc.). We have not tested the performance of formulae in [18] yet. Table 2 summarizes measured average clock cycles for a single-variable-pointsingle-variable-scalar multiplication on different representations of elliptic curves. Table 2. 256-bit scalar multiplication on Intel Core 2 Duo (E6550) Curve Weierstrass (a = −3), Jacobian Jacobi quartic (a = −1/2), Q + Qe Twisted Edwards (a = −1), E + E e

Cycles 418,000 376,000 362,000

In this implementation Jacobi quartic curves runs significantly faster than Weierstrass curves and slightly slower than twisted Edwards curves.

7

Conclusion

We introduced new results for performing arithmetic on Jacobi quartic curves. In §2, we proved that earlier formulae (1) and (2) in the literature are complete provided that d is a not a square in the underlying field K. We explored several affine formulae some being known to date and some being new. In §3 and §4, we carefully selected the most suitable affine formulae and then with suitable point representations converted them to projective form. In this context, for the first time we used homogeneous projective coordinates on Jacobi quartic curves for efficiency purposes and introduced new and faster doubling algorithms. In addition, we introduced a new point representation namely extended homogeneous projective coordinates, Qe , for Jacobi quartic curves. This coordinate system allows very efficient point addition operations using fewer coordinates in comparison to recent proposals for Jacobi quartic curves. In §6 we reported our experimental results using state-of-art formulae for Jacobi quartic, twisted Edwards, and Weierstrass curves. In our implementation Jacobi quartic curves are approximately 20% faster than Weierstrass curves. With our proposal Jacobi quartic curves can provide similar speeds to twisted Edwards curves in variable-point-and-variable-scalar multiplications. The point doubling on a Jacobi quartic curve is slightly faster than that of Edwards curves. Note that doubling is the most frequently accessed elliptic curve group operation in variable-point-and-variable-scalar multiplications. On the other hand,

464

H. Hisil et al.

Jacobi quartic curves seem to be slower on the double-and-add operation (§5) in comparison to twisted Edwards curves. In overall timings for variable-singlepoint-variable-single-scalar multiplication Jacobi quartic curves are competitive with (but slightly slower than) twisted Edwards curves. It should be noted here that there are elliptic curves of order 2-times-a-prime where our methods are applicable with the use of the Jacobi quartic curves with a = −1/2. However, such curves cannot be written (over the base field) in twisted Edwards form.

References 1. Avanzi, R.M.: A note on the signed sliding window integer recoding and its left-toright analogue. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 130–143. Springer, Heidelberg (2004) 2. Billet, O., Joye, M.: The Jacobi model of an elliptic curve and side-channel analysis. In: Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 34–42. Springer, Heidelberg (2003) 3. Bernstein, D.J., Lange, T.: Analysis and optimization of elliptic-curve single-scalar multiplication. In: Finite Fields and Applications Fq8. Contemporary Mathematics, American Mathematical Society, vol. 461, pp. 1–18 (2008) 4. Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems (2008), http://bench.cr.yp.to 5. Bernstein, D.J., Lange, T.: Explicit-formulas database, http://www.hyperelliptic.org/EFD 6. Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007) 7. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389– 405. Springer, Heidelberg (2008) 8. Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics 7(4), 385–434 (1986) 9. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998) 10. Cohen, H., Frey, G. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Boca Raton (2005) 11. Duquesne, S.: Improving the arithmetic of elliptic curves in the Jacobi model. Information Processing Letters 104(3), 101–105 (2007) 12. Eisentr¨ ager, K., Lauter, K., Montgomery, P.L.: Fast elliptic curve arithmetic and improved Weil pairing evaluation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 343–354. Springer, Heidelberg (2003) √ = 13. Euler, L.: De integratione aequationis differentialis m dx/ 1 − x4 n dy/ 1 − y 4 . Novi Commentarii Academiae Scientiarum Petropolitanae 6, 37–57 (1761); Translated from the Latin √ by Langton, S.G.  On the integration of the differential equation m dx/ 1 − x4 = n dy/ 1 − y 4 , http://home.sandiego.edu/~ langton/eell.pdf 14. Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009)

Jacobi Quartic Curves Revisited

465

15. Gaudry, P., Thom´e, E.: The mpFq library and implementing curve-based key exchanges. In: SPEED 2007, pp.49–64 (2007), http://www.loria.fr/~ gaudry/publis/mpfq.pdf 16. Hankerson, D., Menezes, A.J., Vanstone, S.A.: Guide to Elliptic Curve Cryptography. Springer, New York (2003) 17. Hisil, H., Carter, G., Dawson, E.: New formulae for efficient elliptic curve arithmetic. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 138–151. Springer, Heidelberg (2007) 18. Hisil, H., Wong, K.K., Carter, G., Dawson, E.: Faster group operations on elliptic curves. In: Australasian Information Security Conference (AISC 2009), Wellington, New Zealand (January 2009); Conferences in Research and Practice in Information Technology (CRPIT), vol. 98, pp. 7–19 (2009) 19. Hisil, H., Wong, K.K., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008) 20. Jacobi, C.G.J.: Fundamenta nova theoriae functionum ellipticarum. Sumtibus Fratrum Borntræger (1829) 21. Longa, P., Gebotys, C.: Novel precomputation schemes for elliptic curve cryptosystems. In: ACNS 2009. LNCS. Springer, Heidelberg (to appear, 2009) 22. M¨ oller, B.: Improved techniques for fast exponentiation. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 298–312. Springer, Heidelberg (2003) 23. Monagan, M., Pearce, R.: Rational simplification modulo a polynomial ideal. In: ISSAC 2006, pp. 239–245. ACM, New York (2006) 24. Whittaker, E.T., Watson, G.N.: A Course of Modern Analysis. Cambridge University Press, Cambridge (1927)

A

Appendix

Proof (Lemma 2). Points at infinity (over the extension of K where they exist) are of order 2. Assume that P and Q are of odd order. Thus, P , Q and P + Q cannot be the points at infinity. Since the formulae (1) and (2) are complete provided that the points at infinity are not involved, the denominator 1 − dx21 x22 must be nonzero. An algebraic approach is as follows. Suppose that 1−dx21 x22 = 0. Then x1 , x2 = 0 and we can write x21 = 1/(dx22 ). Suppose that P = ±Q. Then 1 − dx21 x22 = 1 − dx41 = 1 − dx42 = 0. It follows that R = 2P and S = 2Q are points at infinity. Therefore P and Q must be of order 4 which contradicts the hypothesis. From now on we assume P = ±Q. We now have 1 − dx41 = 0 and 1 − dx42 = 0. Using the relations x21 = 1/(dx22), 2 y2 = dx42 + 2ax22 + 1 and formulae (1) and (2) we get x(R)2 =

y(R) =

(2x1 y1 )2 2(1/(dx22 ))(d(1/(dx22 )2 + 2a(1/(dx22 ) + 1) (2x2 y2 )2 = = = x(S)2 , 4 2 2 2 2 (1 − dx1 ) (1 − d(1/(dx2 )) ) (1 − dx42 )2

(1 + dx41 )(y12 + 2ax21 ) + 4dx41 (1 − dx41 )2

=

(1 + d(1/(dx22 ))2 )((d(1/(dx22 )2 + 2a(1/(dx22 ) + 1)+2a(1/(dx22 )))+4d(1/(dx22 ))2 (1 − d(1/(dx22 ))2 )2

=

(1 + dx42 )(y22 + 2ax22 ) + 4dx42 = y(S). (1 − dx42 )2

466

H. Hisil et al.

Hence, R = ±S. But then R ∓ S = 2P ∓ 2Q = 2(P ∓ Q) = (0, 1). It follows that P ∓ Q is a point of order 2 since P = ±Q. Now either P is a point of even order or Q is a point of even order or both P and Q are points of even order. All conditions contradict the hypothesis. In conclusion 1 − dx21 x22 = 0.  

B

Appendix

These algorithms are optimized in a way that X1 -X2 -X3 , Y1 -Y2 -Y3 , T1 -T2 -T3 , and Z1 -Z2 -Z3 are allowed to be the same registers. The algorithm uses ti as temporary registers. a stands for an addition or a subtraction or a multiplication by 2 or a division by 2. 2M + 5S + 7a, DBL-Q-1, assumes a = −1/2, (X3 : Y3 : Z3 ) = 2(X1 : Y1 : Z1 ); t1 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , t1 ← t21 , X3 ← X3 + Y3 , t1 ← t1 − X3 , Z3 ← 2Z3 , Y3 ← X3 · Y3 , Y3 ← 2Y3 , Z3 ← Z3 − X3 , X3 ← t1 · Z3 , Z3 ← Z32 , Y3 ← Y3 − Z3 . 3M + 4S + 4a, DBL-Q-2, assumes a = −1/2, (X3 : Y3 : Z3 ) = 2(X1 : Y1 : Z1 ); t1 ← X1 · Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← X3 + Y3 , X3 ← X3 /2, Y3 ← Y3 · X3 , X3 ← Z3 − X3 , Z3 ← X32 , Y3 ← Y3 − Z3 , X3 ← t1 · X3 . 2M +5S+1D +8a, DBL-Q-3, (X3 : Y3 : Z3 ) = 2(X1 : Y1 : Z1 ); t1 ← X1 +Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , t1 ← t21 , t1 ← t1 − X3 , t1 ← t1 − Y3 , X3 ← kX3 , X3 ← Y3 + X3 , Z3 ← 2Z3 , Y3 ← X3 · Y3 , Y3 ← 2Y3 , Z3 ← Z3 − X3 , X3 ← t1 · Z3 , Z3 ← Z32 , Y3 ← Y3 − Z3 . 3M + 4S + 1D + 4a, DBL-Q-4, (X3 : Y3 : Z3 ) = 2(X1 : Y1 : Z1 ); t1 ← X1 · Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← kX3 , X3 ← X3 + Y3 , X3 ← X3 /2, Y3 ← Y3 · X3 , X3 ← Z3 − X3 , Z3 ← X32 , Y3 ← Y3 − Z3 , X3 ← t1 · X3 . 0M + 8S + 13a, DBL-Qe-1, DBL-QtoQe-1, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , T3 ← T32 , X3 ← X3 + Y3 , T3 ← T3 − X3 , Z3 ← 2Z3 , Z3 ← Z3 − X3 , X3 ← T3 + Z3 , T3 ← T32 , Z3 ← Z32 , X3 ← X32 , X3 ← X3 − T3 , X3 ← X3 − Z3 , Z3 ← 2Z3 , Y3 ← 2Y3 , Y3 ← Y32 , Y3 ← Y3 + T3 , Y3 ← Y3 − Z3 , T3 ← 2T3 . 1M+7S+9a, DBL-Qe-2, DBL-QtoQe-2, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , T3 ← T32 , X3 ← X3 + Y3 , T3 ← T3 − X3 , Z3 ← 2Z3 , Z3 ← Z3 − X3 , X3 ← T3 · Z3 , Z3 ← Z32 , T3 ← T32 , Y3 ← 2Y3 , Y3 ← Y32 , Y3 ← Y3 + T3 , Y3 ← Y3 /2, Y3 ← Y3 − Z3 . 2M+6S+6a, DBL-Qe-3, DBL-QtoQe-3, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 · Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← X3 + Y3 , X3 ← X3 /2, Z3 ← Z3 − X3 , X3 ← T3 · Z3 , Z3 ← Z32 , T3 ← T32 , Y3 ← Y32 , Y3 ← Y3 + T3 , Y3 ← Y3 /2, Y3 ← Y3 − Z3 . 3M+5S+4a, DBL-Qe-4, DBL-QtoQe-4, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 · Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← X3 + Y3 , X3 ← X3 /2, Y3 ← Y3 · X3 , X3 ← Z3 − X3 , Z3 ← X32 , Y3 ← Y3 − Z3 , X3 ← X3 · T3 , T3 ← T32 . 0M + 8S + 2D + 14a, DBL-Qe-5, DBL-QtoQe-5, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , T3 ← T32 , T3 ← T3 − X3 , t1 ← T3 − Y3 , X3 ← kX3 , X3 ← X3 + Y3 , Z3 ← 2Z3 , Z3 ← Z3 − X3 , T3 ← t21 , X3 ← t1 + Z3 , X3 ← X32 , Z3 ← Z32 , X3 ← X3 − T3 , X3 ← X3 − Z3 , Z3 ← 2Z3 , t1 ← kT3 , T3 ← 2T3 , Y3 ← 2Y3 , Y3 ← Y32 , Y3 ← Y3 + t1 , Y3 ← Y3 − Z3 . 1M + 7S + 1D + 12a, DBL-Qe-6, DBL-QtoQe-6, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); t1 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , t1 ← t21 , t1 ← t1 − X3 , t1 ← t1 − Y3 , X3 ← kX3 , X3 ← X3 + Y3 , Z3 ← 2Z3 , Y3 ← X3 · Y3 , Z3 ← Z3 − X3 , T3 ← t21 , X3 ← t1 + Z3 , Z3 ← Z32 , Y3 ← 2Y3 , Y3 ← Y3 − Z3 , X3 ← X32 , X3 ← X3 − T3 , X3 ← X3 − Z3 , X3 ← X3 /2. 1M + 7S + 2D + 10a, DBL-Qe-7, DBL-QtoQe-7, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); t1 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , t1 ← t21 , t1 ← t1 − X3 , t1 ← t1 − Y3 , X3 ← kX3 , X3 ← X3 + Y3 , Z3 ← 2Z3 , Z3 ← Z3 − X3 , X3 ← t1 · Z3 , T3 ← t21 , Z3 ← Z32 , Y3 ← 2Y3 , Y3 ← Y32 , t1 ← kT3 , Y3 ← Y3 + t1 , Y3 ← Y3 /2, Y3 ← Y3 − Z3 .

Jacobi Quartic Curves Revisited

467

2M + 6S + 1D + 8a, DBL-Qe-8, DBL-QtoQe-8, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 + Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , T3 ← T32 , T3 ← T3 − X3 , T3 ← T3 − Y3 , X3 ← kX3 , X3 ← Y3 + X3 , Z3 ← 2Z3 , Y3 ← X3 · Y3 , Y3 ← 2Y3 , Z3 ← Z3 − X3 , X3 ← T3 · Z3 , Z3 ← Z32 , Y3 ← Y3 − Z3 , T3 ← T32 . 2M+6S+2D+6a, DBL-Qe-9, DBL-QtoQe-9, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); t1 ← X1 ·Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← kX3 , X3 ← X3 +Y3 , X3 ← X3 /2, Z3 ← Z3 −X3 , X3 ← t1 ·Z3 , Z3 ← Z32 , T3 ← t21 , Y3 ← Y32 , t1 ← kT3 , Y3 ← Y3 + t1 , Y3 ← Y3 /2, Y3 ← Y3 − Z3 . 3M + 5S + 1D + 4a, DBL-Qe-10, DBL-QtoQe-10, (X3 : Y3 : T3 : Z3 ) = 2(X1 : Y1 : T1 : Z1 ); T3 ← X1 · Y1 , X3 ← X12 , Y3 ← Y12 , Z3 ← Z12 , X3 ← kX3 , X3 ← X3 + Y3 , X3 ← X3 /2, Y3 ← Y3 · X3 , X3 ← Z3 − X3 , Z3 ← X32 , Y3 ← Y3 − Z3 , X3 ← T3 · X3 , T3 ← T32 . 7M + 3S + 2D + 19a, ADD-Qe-1, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← dT2 , t2 ← t2 + Z2 , t1 ← t1 · t2 , t2 ← Z1 · T2 , T3 ← T1 · Z2 , t1 ← t1 − T3 , t3 ← dt2 , t1 ← t1 − t3 , t3 ← T3 + t2 , T3 ← T3 − t2 , Z3 ← X1 − Y1 , t2 ← X2 + Y2 , Z3 ← Z3 · t2 , t2 ← X1 · X2 , Y3 ← Y1 · Y2 , Z3 ← Z3 − t2 , Z3 ← Z3 + Y3 , Y3 ← Y3 + t1 , t1 ← 2t2 , t1 ← t3 − t1 , Y3 ← Y3 + t2 , Y3 ← t1 · Y3 , X3 ← Z3 + T3 , X3 ← X32 , Z3 ← Z32 , Y3 ← Y3 − Z3 , X3 ← X3 − Z3 , T3 ← T32 , X3 ← X3 − T3 , X3 ← X3 /2. 8M + 2S + 2D + 15a, ADD-Qe-2, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← dT2 , t2 ← t2 + Z2 , t1 ← t1 · t2 , t2 ← Z1 · T2 , T3 ← T1 · Z2 , t1 ← t1 − T3 , t3 ← dt2 , t1 ← t1 − t3 , t3 ← T3 + t2 , T3 ← T3 − t2 , Z3 ← X1 − Y1 , t2 ← X2 + Y2 , Z3 ← Z3 · t2 , t2 ← X1 · X2 , Y3 ← Y1 · Y2 , Z3 ← Z3 − t2 , Z3 ← Z3 + Y3 , Y3 ← Y3 + t1 , t1 ← 2t2 , t1 ← t3 − t1 , Y3 ← Y3 + t2 , Y3 ← t1 · Y3 , X3 ← Z3 · T3 , Z3 ← Z32 , Y3 ← Y3 − Z3 , T3 ← T32 . 7M + 3S + 3D + 19a, ADD-Qe-3, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← dT2 , t2 ← t2 + Z2 , t1 ← t1 · t2 , t2 ← Z1 · T2 , T3 ← T1 · Z2 , t1 ← t1 − T3 , t3 ← dt2 , t1 ← t1 − t3 , t3 ← T3 + t2 , T3 ← T3 − t2 , Z3 ← X1 − Y1 , t2 ← X2 + Y2 , Z3 ← Z3 · t2 , t2 ← X1 · X2 , Y3 ← Y1 · Y2 , Z3 ← Z3 − t2 , Z3 ← Z3 + Y3 , Y3 ← Y3 + t1 , t1 ← 2t2 , t1 ← t3 − t1 , t2 ← kt2 , Y3 ← Y3 + t2 , Y3 ← t1 · Y3 , X3 ← Z3 + T3 , X3 ← X32 , Z3 ← Z32 , Y3 ← Y3 − Z3 , X3 ← X3 − Z3 , T3 ← T32 , X3 ← X3 − T3 , X3 ← X3 /2. t1 t3 t2 t2

8M + 2S + 3D + 15a, ADD-Qe-4, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); ← T1 + Z1 , t2 ← dT2 , t2 ← t2 + Z2 , t1 ← t1 · t2 , t2 ← Z1 · T2 , T3 ← T1 · Z2 , t1 ← t1 − T3 , ← dt2 , t1 ← t1 − t3 , t3 ← T3 + t2 , T3 ← T3 − t2 , Z3 ← X1 − Y1 , t2 ← X2 + Y2 , Z3 ← Z3 · t2 , ← X1 · X2 , Y3 ← Y1 · Y2 , Z3 ← Z3 − t2 , Z3 ← Z3 + Y3 , Y3 ← Y3 + t1 , t1 ← 2t2 , t1 ← t3 − t1 , ← kt2 , Y3 ← Y3 + t2 , Y3 ← t1 · Y3 , X3 ← Z3 · T3 , Z3 ← Z32 , Y3 ← Y3 − Z3 , T3 ← T32 .

7M + 3S + 1D + 18a, UADD-Qe-1, assumes d = 1, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , t1 ← t1 − t2 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , t3 ← T3 − X3 , t3 ← t3 − Y3 , T3 ← t23 , Y3 ← Y3 + t1 , t1 ← 2X3 , t1 ← t1 + t2 , t2 ← kX3 , Y3 ← Y3 − t2 , Y3 ← Y3 · t1 , Y3 ← Y3 − T3 , X3 ← t3 + Z3 , X3 ← X32 , Z3 ← Z32 , X3 ← X3 − Z3 , X3 ← X3 − T3 , X3 ← X3 /2. 8M + 2S + 1D + 14a, UADD-Qe-2, assumes d = 1, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , t1 ← t1 − t2 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , t3 ← T3 − X3 , t3 ← t3 − Y3 , T3 ← t23 , Y3 ← Y3 + t1 , t1 ← 2X3 , t1 ← t1 + t2 , t2 ← kX3 , Y3 ← Y3 − t2 , Y3 ← Y3 · t1 , Y3 ← Y3 − T3 , X3 ← t3 · Z3 , Z3 ← Z32 . 7M + 3S + 5D + 18a, UADD-Qe-3, assumes d = s2 , (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← sT1 , t2 ← sT2 , T3 ← t1 t2 , t1 ← t1 + Z1 , t2 ← t2 + Z2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , t1 ← t1 − t2 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 ·Y2 , T3 ← T3 ·t3 , T3 ← T3 −X3 , t3 ← T3 −Y3 , Y3 ← Y3 +t1 , T3 ← t23 , t1 ← 2s, t1 ← t1 ·X3 , t1 ← t1 + t2 , t2 ← kX3 , Y3 ← Y3 − t2 , Y3 ← Y3 · t1 , t1 ← sT3 , Y3 ← Y3 − t1 , X3 ← t3 + Z3 , X3 ← X32 , Z3 ← Z32 , X3 ← X3 − Z3 , X3 ← X3 − T3 , X3 ← X3 /2, 8M + 2S + 5D + 14a, UADD-Qe-4, assumes d = s2 , (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← sT1 , t2 ← sT2 , T3 ← t1 · t2 , t1 ← t1 + Z1 , t2 ← t2 + Z2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , t1 ← t1 − t2 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , T3 ← T3 − X3 , t3 ← T3 − Y3 , Y3 ← Y3 + t1 , T3 ← t23 , t1 ← 2s, t1 ← t1 · X3 , t1 ← t1 + t2 , t2 ← kX3 , Y3 ← Y3 − t2 , Y3 ← Y3 · t1 , t1 ← sT3 , Y3 ← Y3 − t1 , X3 ← t3 · Z3 , Z3 ← Z32 . 8M + 3S + 2D + 17a, UADD-Qe-5, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t1 ← t1 − T3 , t1 ← t1 − Z3 , T3 ← dT3 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , T3 ← X1 + Y1 , t3 ← X2 + Y2 ,

468

H. Hisil et al.

X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , T3 ← T3 − X3 , T3 ← T3 − Y3 , t1 ← t1 d, t1 ← t1 · X3 , t1 ← 2t1 , Y3 ← Y3 − X3 , Y3 ← Y3 · t2 , Y3 ← Y3 + t1 , X3 ← Z3 + T3 , X3 ← X32 , T3 ← T32 , Z3 ← Z32 , X3 ← X3 − T3 , X3 ← X3 − Z3 , X3 ← X3 /2. 9M + 2S + 2D + 13a, UADD-Qe-6, assumes a = −1/2, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t1 ← t1 − T3 , t1 ← t1 − Z3 , T3 ← dT3 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , T3 ← T3 − X3 , T3 ← T3 − Y3 , t1 ← dt1 , t1 ← t1 · X3 , t1 ← 2t1 , Y3 ← Y3 − X3 , Y3 ← Y3 · t2 , Y3 ← Y3 + t1 , X3 ← Z3 · T3 , T3 ← T32 , Z3 ← Z32 . 8M + 3S + 3D + 17a, UADD-Qe-7, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t1 ← t1 − T3 , t1 ← t1 − Z3 , T3 ← dT3 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , T3 ← T3 − X3 , T3 ← T3 − Y3 , t1 ← dt1 , t1 ← t1 · X3 , t1 ← 2t1 , X3 ← kX3 , Y3 ← Y3 − X3 , Y3 ← Y3 · t2 , Y3 ← Y3 + t1 , X3 ← Z3 + T3 , X3 ← X32 , T3 ← T32 , Z3 ← Z32 , X3 ← X3 − T3 , X3 ← X3 − Z3 , X3 ← X3 /2. 9M + 2S + 3D + 13a, UADD-Qe-8, (X3 : Y3 : T3 : Z3 ) = (X1 : Y1 : T1 : Z1 ) + (X2 : Y2 : T2 : Z2 ); t1 ← T1 + Z1 , t2 ← T2 + Z2 , T3 ← T1 · T2 , Z3 ← Z1 · Z2 , t1 ← t1 · t2 , t1 ← t1 − T3 , t1 ← t1 − Z3 , T3 ← dT3 , t2 ← Z3 + T3 , Z3 ← Z3 − T3 , T3 ← X1 + Y1 , t3 ← X2 + Y2 , X3 ← X1 · X2 , Y3 ← Y1 · Y2 , T3 ← T3 · t3 , T3 ← T3 − X3 , T3 ← T3 − Y3 , t1 ← dt1 , t1 ← t1 · X3 , t1 ← 2t1 , X3 ← kX3 , Y3 ← Y3 − X3 , Y3 ← Y3 · t2 , Y3 ← Y3 + t1 , X3 ← Z3 · T3 , T3 ← T32 , Z3 ← Z32 .

Author Index

Ahmed, Irfan 44 Aoki, Kazumaro 214 Asano, Tomoyuki 293 Aumasson, Jean-Philippe Bozta¸s, Serdar 122 Brier, Eric 202 Buldas, Ahto 264 Camp, L. Jean 249 Carter, Gary 452 Cheong, K.Y. 377 Chew, Guanhan 73 Chow, Sherman S.M. 327 Choy, Jiali 73 Chu, Cheng-Kang 327 Dawson, Ed 452 Delwadia, Vipul 8 Deng, Robert H. 327 El Mrabet, Nadia

422

Fleischmann, Ewan 60 Franklin, Matthew K. 309 Gorski, Michael

60

Henricksen, Matt 108 Hisil, Huseyin 452 Hiwatari, Harunaga 293 Hong, Jeongdae 309 Hong, ManPyo 44 J¨ urgenson, Aivo

264

Kesdogan, Dogan 26 Khoo, Khoongming 73 Kim, Jihye 309 Kim, Jinil 309 Kocair, C ¸ elebi 90 Komisarczuk, Peter 8 Koshiba, Takeshi 377

Lhee, Kyung-suk 44 Lory, Peter 250 Lucks, Stefan 60 202 Matsuda, Toshihide 343 Meier, Willi 202 Miyaji, Atsuko 134 Mu, Yi 153 Nandi, Mridul 171 Naya-Plasencia, Mar´ıa 202 Negre, Christophe 422 Niitsoo, Margus 264 Nishimaki, Ryo 343 Nishiyama, Shohei 377 Numayama, Akira 232, 343 ¨ Ozen, Onur

90

Park, Kunsoo 309 Paterson, Kenneth G. 276 Peyrin, Thomas 202 Pham, Dang Vinh 26 Puglisi, Simon J. 122 Reyhanitabar, Mohammad Reza Sakumoto, Koichi 293 Sasaki, Yu 214 Seifert, Christian 8 Shin, Hyunjung 44 Simpson, Leonie 108 Srinivasan, Sriramkrishnan Stebila, Douglas 389 Stinson, Douglas R. 360 Stirling, David 8 Sukegawa, Masahiro 134 Susilo, Willy 153

276

Tanaka, Keisuke 232, 293, 343 Tezcan, Cihangir 90 Tunstall, Michael 437 Turpin, Andrew 122 Ustaoglu, Berkant

389

153

470

Author Index

Varıcı, Kerem 90 von Solms, Basie 1 Wang, Xiaoyun 185 Welch, Ian 8 Weng, Jian 327 Wikstr¨ om, Douglas 407

Wong, Kenneth Koon-Ho Wu, Jiang 360 Yap, Huihui 73 Yap, Wun-She 108 Yu, Hongbo 185 Zhou, Jianying

327

452